feat: add web of trust check

Author: ZigBalthazar

src/decorators/field.decorators.ts

@@ -25,7 +25,7 @@ import {
 import _ from 'lodash';
 
 import { ApiEnumProperty, ApiUUIDProperty } from './property.decorators';
-import { PhoneNumberSerializer, ToArray, ToBoolean, ToLowerCase, ToUpperCase, Trim } from './transform.decorators';
+import {ToArray, ToBoolean, ToLowerCase, ToUpperCase, Trim } from './transform.decorators';
 import { IsPassword, IsPhoneNumber, IsTmpKey } from './validator.decorators';
 
 interface IStringFieldOptions {
@@ -218,23 +218,6 @@ export function EmailFieldOptional(
   return applyDecorators(IsOptional(), EmailField({ required: false, ...options }));
 }
 
-export function PhoneField(
-  options: Omit<ApiPropertyOptions, 'type'> & Partial<{ swagger: boolean }> = {},
-): PropertyDecorator {
-  const decorators = [IsPhoneNumber(), PhoneNumberSerializer()];
-
-  if (options.swagger !== false) {
-    decorators.push(ApiProperty({ type: String, ...options }));
-  }
-
-  return applyDecorators(...decorators);
-}
-
-export function PhoneFieldOptional(
-  options: Omit<ApiPropertyOptions, 'type' | 'required'> & Partial<{ swagger: boolean }> = {},
-): PropertyDecorator {
-  return applyDecorators(IsOptional(), PhoneField({ required: false, ...options }));
-}
 
 export function UUIDField(
   options: Omit<ApiPropertyOptions, 'type' | 'format'> & Partial<{ each: boolean; swagger: boolean }> = {},

src/modules/auth/guards/nip98-auth.guard.ts

@@ -3,7 +3,7 @@ import { AuthGuard } from '@nestjs/passport';
 
 @Injectable()
 export class Nip98AuthGuard extends AuthGuard('nip98') {
-  handleRequest(err: unknown, user: unknown) {
+  handleRequest(err: any, user: any) {
     if (err || !user) {
       throw err || new UnauthorizedException();
     }

src/modules/auth/strategies/nip-98.strategy.ts

@@ -1,55 +1,46 @@
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
-import type { Request } from 'express';
-import type { Event } from 'nostr-tools';
-import { verifyEvent } from 'nostr-tools';
+import { Event, verifyEvent } from 'nostr-tools';
+import { Request } from 'express';
 import { Strategy } from 'passport-strategy';
 
 @Injectable()
 export class Nip98Strategy extends PassportStrategy(Strategy, 'nip98') {
   public Scheme = 'Nostr';
 
+  constructor() {
+    super();
+  }
 
   authenticate(req: unknown) {
-    const request = req as Request;
-    const authHeader = request.headers.authorization;
+    const request = req as Request
+    const authHeader = request.headers['authorization'];
 
     if (!authHeader) {
-      this.fail(new UnauthorizedException('Missing Authorization header'), 401);
-
-      return;
+      return this.fail(new UnauthorizedException('Missing Authorization header'), 401);
     }
 
     if (authHeader.slice(0, 5) !== this.Scheme) {
-      this.fail(new UnauthorizedException('Invalid auth scheme'), 401);
-
-      return;
+      return this.fail(new UnauthorizedException('Invalid auth scheme'), 401);
     }
 
     const token = authHeader.slice(6);
 
     const bToken = Buffer.from(token, 'base64').toString('utf-8');
 
-    if (!bToken || bToken.length === 0 || !bToken.startsWith('{')) {
-      this.fail(new UnauthorizedException('Invalid token'), 401);
-
-      return;
+    if (!bToken || bToken.length === 0 || bToken[0] != '{') {
+      return this.fail(new UnauthorizedException('Invalid token'), 401);
     }
 
     const ev = JSON.parse(bToken) as Event;
 
     const isValidEvent = verifyEvent(ev);
-
     if (!isValidEvent) {
-      this.fail(new UnauthorizedException('Invalid event'), 401);
-
-      return;
+      return this.fail(new UnauthorizedException('Invalid event'), 401);
     }
 
     if (ev.kind != 27_235) {
-      this.fail(new UnauthorizedException('Invalid nostr event, wrong kind'), 401);
-
-      return;
+      return this.fail(new UnauthorizedException('Invalid nostr event, wrong kind'), 401);
     }
 
     const now = Date.now();
@@ -63,11 +54,8 @@ export class Nip98Strategy extends PassportStrategy(Strategy, 'nip98') {
     const methodTag = ev.tags[1]?.[1];
     const a = new URL(urlTag!).pathname;
     console.log(new URL(urlTag!).pathname == request.path);
-
     if (!urlTag || new URL(urlTag).pathname !== request.path) {
-      this.fail(new UnauthorizedException('Invalid nostr event, URL tag invalid'), 401);
-
-      return;
+      return this.fail(new UnauthorizedException('Invalid nostr event, URL tag invalid'), 401);
     }
 
     if (!methodTag || methodTag.toLowerCase() !== request.method.toLowerCase()) {

src/modules/notification/transporters/nostr.transporter.ts

@@ -15,9 +15,8 @@ if (semver.lt(nodeVersion, '20.0.0')) {
   global.WebSocket = require('isomorphic-ws');
 } else {
   // polyfills for node 20
-  // @ts-expect-error
   if (!globalThis.crypto) {
-    globalThis.crypto = webcrypto;
+    globalThis.crypto = webcrypto as unknown as Crypto;
   }
 
   global.WebSocket = require('isomorphic-ws');

src/modules/subscriptions/subscriptions.service.ts

@@ -10,7 +10,7 @@ import { InjectRedis } from '@nestjs-modules/ioredis';
 import { hexToBytes } from '@noble/hashes/utils';
 import axios from 'axios';
 import Redis from 'ioredis';
-import { nip19 } from 'nostr-tools';
+import { Event, finalizeEvent, kinds, nip19, Relay, SimplePool } from 'nostr-tools';
 import { lastValueFrom } from 'rxjs';
 import { ObjectId } from 'typeorm';
 import type { MongoFindOneOptions } from 'typeorm/find-options/mongodb/MongoFindOneOptions';
@@ -29,6 +29,24 @@ import type { SubscriptionEntity } from './entities/subscription.entity';
 import { SubscriptionStatusEnum } from './enums/subscription-status.enum';
 import { SubscriptionTemplate } from './notify-template';
 import { SubscriptionRepository } from './subscriptions.repository';
+import { webcrypto } from 'node:crypto';
+
+const semver = require('semver');
+
+const nodeVersion = process.version;
+
+if (semver.lt(nodeVersion, '20.0.0')) {
+  // polyfills for node 18
+  global.crypto = require('node:crypto');
+  global.WebSocket = require('isomorphic-ws');
+} else {
+  // polyfills for node 20
+  if (!globalThis.crypto) {
+    globalThis.crypto = webcrypto as unknown as Crypto;
+  }
+
+  global.WebSocket = require('isomorphic-ws');
+}
 
 @Injectable()
 export class SubscriptionsService {
@@ -97,6 +115,71 @@ export class SubscriptionsService {
       throw new BadRequestException('invalid npub');
     }
 
+    const wotConf = this.apiConfig.webOfTrustConfig;
+    const createdAt = Math.floor(Date.now() / 1000);
+
+    const event = {
+      kind: 5312,
+      created_at: createdAt,
+      tags: [
+        ['param', 'target', pubkey],
+        ['param', 'limit', '1'],
+      ],
+      content: '',
+    };
+
+    const signedEvent = finalizeEvent(event, hexToBytes(this.apiConfig.getNostrConfig.privateKey));
+
+    const relay = await Relay.connect(wotConf.relay);
+    await relay.publish(signedEvent);
+
+    await new Promise<void>((resolve, reject) => {
+      const pool = new SimplePool();
+      let resolved = false;
+
+      const timeout = setTimeout(() => {
+        if (!resolved) {
+          resolved = true;
+          pool.close([wotConf.relay]);
+          resolve();
+        }
+      }, 4000); // 4 seconds
+
+      pool.subscribeMany(
+        [wotConf.relay],
+        [
+          {
+            '#p': [signedEvent.pubkey],
+            '#e': [signedEvent.id],
+          },
+        ],
+        {
+          onevent(event: Event) {
+            if (resolved) return;
+
+            try {
+              const { rank } = JSON.parse(event.content)[0] as { rank: string };
+
+              pool.close([wotConf.relay]);
+              clearTimeout(timeout);
+              resolved = true;
+
+              if (parseFloat(rank) < parseFloat(wotConf.relayMinRank)) {
+                reject(new BadRequestException('pubkey rank is too low'));
+              } else {
+                resolve();
+              }
+            } catch (err) {
+              pool.close([wotConf.relay]);
+              clearTimeout(timeout);
+              resolved = true;
+              reject(new Error('Failed to parse rank event'));
+            }
+          },
+        },
+      );
+    });
+
     const subscription = await this.getSubscriptionPlan(planId);
 
     const headers = {
@@ -118,11 +201,9 @@ export class SubscriptionsService {
 
     try {
       const response = await axios.post(this.apiUrl, data, { headers });
-
       return response.data.url;
     } catch (error) {
       this.logger.error('Error generating checkout session:', error.response?.data || error.message);
-
       throw new Error('Could not generate checkout session');
     }
   }

src/shared/services/api-config.service.ts

@@ -116,6 +116,13 @@ export class ApiConfigService {
     };
   }
 
+  get webOfTrustConfig() {
+    return {
+      relay: this.getString('WOT_RELAY'),
+      relayMinRank: this.getString('WOT_RELAY_MIN_RANK'),
+    };
+  }
+
   get grpcConfig() {
     return {
       port: this.getString('GRPC_PORT'),