update nostr message to include signature for public key

2024-10-04 13:24:07 -06:00
parent 5efd3e0e89
commit 9f4a19993e
5 changed files with 65 additions and 26 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,12 +6,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).


+## [0.3.29-beta]
+### Changed
+- Send signed data to nostr endpoints to verify public key ownership.
+### Changed in DB or environment
+- Uses Endorser.ch version 4.1.1
+
+
 ## [0.3.28]
 ### Added
 - Posting to nostr apps Trustroots & TripHopping
 - Display of providers on claim view page
 ### Changed
 - Switched BVC-meeting-ending gift to be a gift from the group.
+### Changed in DB or environment
+- Requires Endorser.ch version 4.1.0


 ## [0.3.27] - 2024.09.22 - ee23e6f005e47f5bd6f04d804599f6395371b0e4
--- a/README.md
+++ b/README.md
@@ -72,7 +72,7 @@ npm run build

 * `rsync -azvu -e "ssh -i ~/.ssh/..." dist ubuntutest@test.timesafari.app:time-safari`

-* Commit changes. Record the new hash in the changelog. Edit package.json to increment version & add "-beta", `npm install`, and commit. Also record what version is on production.
+* Record the new hash in the changelog. Edit package.json to increment version & add "-beta", `npm install`, and commit. Also record what version is on production.

 * [Tag with the new version.](https://gitea.anomalistdesign.com/trent_larson/crowd-funder-for-time-pwa/releases)

--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "TimeSafari",
-  "version": "0.3.28",
+  "version": "0.3.28-beta",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "TimeSafari",
-      "version": "0.3.28",
+      "version": "0.3.28-beta",
      "dependencies": {
        "@dicebear/collection": "^5.4.1",
        "@dicebear/core": "^5.4.1",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "TimeSafari",
-  "version": "0.3.28",
+  "version": "0.3.28-beta",
  "scripts": {
    "dev": "vite",
    "serve": "vite preview",
--- a/src/views/NewEditProjectView.vue
+++ b/src/views/NewEditProjectView.vue
@@ -105,13 +105,11 @@
      <span class="col-span-1 w-full flex justify-center">{{ zoneName }}</span>
    </div>

-    <div class="flex items-center mb-4">
-      <input
-        type="checkbox"
-        class="mr-2"
-        v-model="includeLocation"
-        @click="includeLocation = !includeLocation"
-      />
+    <div
+      class="flex items-center mb-4"
+      @click="includeLocation = !includeLocation"
+    >
+      <input type="checkbox" class="mr-2" v-model="includeLocation" />
      <label for="includeLocation">Include Location</label>
    </div>
    <div v-if="includeLocation" class="mb-4 aspect-video">
@@ -149,22 +147,12 @@
      v-if="showGeneralAdvanced && includeLocation"
      class="items-center mb-4"
    >
-      <div class="flex">
-        <input
-          type="checkbox"
-          class="mr-2"
-          v-model="sendToTrustroots"
-          @click="sendToTrustroots = !sendToTrustroots"
-        />
+      <div class="flex" @click="sendToTrustroots = !sendToTrustroots">
+        <input type="checkbox" class="mr-2" v-model="sendToTrustroots" />
        <label>Send to Trustroots</label>
      </div>
-      <div class="flex">
-        <input
-          type="checkbox"
-          class="mr-2"
-          v-model="sendToTripHopping"
-          @click="sendToTripHopping = !sendToTripHopping"
-        />
+      <div class="flex" @click="sendToTripHopping = !sendToTripHopping">
+        <input type="checkbox" class="mr-2" v-model="sendToTripHopping" />
        <label>Send to TripHopping</label>
      </div>
    </div>
@@ -202,7 +190,10 @@
 import "leaflet/dist/leaflet.css";
 import { AxiosError, AxiosRequestHeaders } from "axios";
 import { DateTime } from "luxon";
+import { hexToBytes } from "@noble/hashes/utils";
+import type { EventTemplate, VerifiedEvent } from "nostr-tools/lib/types/core";
 import { accountFromSeedWords } from "nostr-tools/nip06";
+import { finalizeEvent, serializeEvent } from "nostr-tools/pure";
 import { Component, Vue } from "vue-facing-decorator";
 import { LMap, LMarker, LTileLayer } from "@vue-leaflet/vue-leaflet";
 import { Router } from "vue-router";
@@ -456,18 +447,25 @@ export default class NewEditProjectView extends Vue {

        const projectPath = encodeURIComponent(resp.data.success.handleId);

+        let signedPayload: VerifiedEvent; // sign something to prove ownership of pubkey
        if (this.sendToTrustroots) {
+          signedPayload = await this.signPayload();
          this.sendToNostrPartner(
            "NOSTR-EVENT-TRUSTROOTS",
            "Trustroots",
            resp.data.success.claimId,
+            signedPayload,
          );
        }
        if (this.sendToTripHopping) {
+          if (!signedPayload) {
+            signedPayload = await this.signPayload();
+          }
          this.sendToNostrPartner(
            "NOSTR-EVENT-TRIPHOPPING",
            "TripHopping",
            resp.data.success.claimId,
+            signedPayload,
          );
        }

@@ -535,10 +533,38 @@ export default class NewEditProjectView extends Vue {
    }
  }

+  private async signPayload(): Promise<VerifiedEvent> {
+    const account = await getAccount(this.activeDid);
+    // get the last number of the derivationPath
+    const finalDerNum = account?.derivationPath?.split?.("/")?.reverse()[0];
+    // remove any trailing '
+    const finalDerNumNoApostrophe = finalDerNum?.replace(/'/g, "");
+    const accountNum = Number(finalDerNumNoApostrophe || 0);
+    const pubPri = accountFromSeedWords(
+      account?.mnemonic as string,
+      "",
+      accountNum,
+    );
+    const privateBytes = hexToBytes(pubPri?.privateKey);
+    // No real content is necessary, we just want something signed,
+    // so we might as well use nostr libs for nostr functions.
+    // Besides: someday we may create real content that we can relay.
+    const event: EventTemplate = {
+      kind: 30402,
+      tags: [[]],
+      content: "",
+      created_at: 0,
+    };
+    // Why does IntelliJ not see matching types?
+    const signedEvent = finalizeEvent(event, privateBytes);
+    return signedEvent;
+  }
+
  private async sendToNostrPartner(
    linkCode: string,
    serviceName: string,
    jwtId: string,
+    signedPayload: VerifiedEvent,
  ) {
    // first, get the public key for nostr
    const account = await getAccount(this.activeDid);
@@ -557,11 +583,15 @@ export default class NewEditProjectView extends Vue {
    const trustrootsUrl = DEFAULT_PARTNER_API_SERVER + "/api/partner/link";
    const timeSafariUrl = window.location.origin + "/claim/" + jwtId;
    const content = this.fullClaim.name + " - see " + timeSafariUrl;
+    // Why does IntelliJ not see matching types?
+    const payload = serializeEvent(signedPayload);
    const trustrootsParams = {
      jwtId: jwtId,
      linkCode: linkCode,
      inputJson: JSON.stringify(content),
-      nostrPubKeyHex: nostrPubKey,
+      pubKeyHex: nostrPubKey,
+      pubKeyImage: payload,
+      pubKeySigHex: signedPayload.sig,
    };
    const fullTrustrootsUrl = trustrootsUrl;
    const headers = await getHeaders(this.activeDid);