feat: implement NIP-98 HTTP auth for gRPC

Add comprehensive NIP-98 authentication support following the standard gRPC credentials.PerRPCCredentials pattern. Client-side: - NostrCredentials implements PerRPCCredentials interface - Automatically signs each request with kind 27235 event - Drop-in replacement for OAuth2/JWT in gRPC clients Server-side: - Unary and stream interceptors for validation - Extracts and validates NIP-98 events from Authorization headers - Configurable options (timestamp window, whitelists, skip methods) - Adds authenticated pubkey to request context Security features: - Replay protection via timestamp validation - Optional payload hash verification - Signature verification using schnorr - TLS requirement option Includes comprehensive test coverage and detailed README with usage examples and security considerations.
author: bndw <ben@bdw.to> 2026-02-14 08:39:37 -0800
committer: bndw <ben@bdw.to> 2026-02-14 08:39:37 -0800
commit: 756c325223ef744b476ade565cb1970c7717d053 (patch)
tree: 56ca7b864c686f8a8b9f23ed462ee187d8b30a7e /internal/auth/validation.go
parent: 44872a7642c31166fc500d2d81ff9a9abdeeb727 (diff)
1 files changed, 133 insertions, 0 deletions
diff --git a/internal/auth/validation.go b/internal/auth/validation.go
new file mode 100644
index 0000000..11435ee
--- /dev/null
+++ b/internal/auth/validation.go
@@ -0,0 +1,133 @@
+package auth
+import (
+        "encoding/base64"
+        "encoding/json"
+        "fmt"
+        "strings"
+        "time"
+        "northwest.io/muxstr/internal/nostr"
+)
+// ValidationOptions configures how NIP-98 events are validated.
+type ValidationOptions struct {
+        // TimestampWindow is the maximum age of events in seconds
+        TimestampWindow int64
+        // ValidatePayload checks the payload hash if present
+        ValidatePayload bool
+        // ExpectedURI is the URI that should match the 'u' tag
+        ExpectedURI string
+        // ExpectedMethod is the method that should match the 'method' tag
+        ExpectedMethod string
+        // PayloadHash is the expected payload hash (if ValidatePayload is true)
+        PayloadHash string
+}
+// ParseAuthHeader extracts and decodes a NIP-98 event from an Authorization header.
+// Expected format: "Nostr <base64-encoded-event-json>"
+func ParseAuthHeader(header string) (*nostr.Event, error) {
+        if header == "" {
+                return nil, fmt.Errorf("empty authorization header")
+        }
+        // Check for "Nostr " prefix
+        if !strings.HasPrefix(header, "Nostr ") {
+                return nil, fmt.Errorf("invalid authorization header: must start with 'Nostr '")
+        }
+        // Extract base64 part
+        encoded := strings.TrimPrefix(header, "Nostr ")
+        if encoded == "" {
+                return nil, fmt.Errorf("empty authorization token")
+        }
+        // Decode base64
+        decoded, err := base64.StdEncoding.DecodeString(encoded)
+        if err != nil {
+                return nil, fmt.Errorf("invalid base64 encoding: %w", err)
+        }
+        // Unmarshal event
+        var event nostr.Event
+        if err := json.Unmarshal(decoded, &event); err != nil {
+                return nil, fmt.Errorf("invalid event JSON: %w", err)
+        }
+        return &event, nil
+}
+// ValidateAuthEvent validates a NIP-98 auth event according to the spec.
+func ValidateAuthEvent(event *nostr.Event, opts ValidationOptions) error {
+        // Check event kind
+        if event.Kind != 27235 {
+                return fmt.Errorf("invalid event kind: expected 27235, got %d", event.Kind)
+        }
+        // Verify signature
+        if !event.Verify() {
+                return fmt.Errorf("invalid event signature")
+        }
+        // Check timestamp (prevent replay attacks)
+        now := time.Now().Unix()
+        age := now - event.CreatedAt
+        if age < 0 {
+                return fmt.Errorf("event timestamp is in the future")
+        }
+        if opts.TimestampWindow > 0 && age > opts.TimestampWindow {
+                return fmt.Errorf("event too old: %d seconds (max %d)", age, opts.TimestampWindow)
+        }
+        // Validate 'u' tag (URL)
+        if opts.ExpectedURI != "" {
+                uTag := event.Tags.Find("u")
+                if uTag == nil {
+                        return fmt.Errorf("missing 'u' tag in auth event")
+                }
+                eventURI := uTag.Value()
+                if eventURI != opts.ExpectedURI {
+                        return fmt.Errorf("URI mismatch: expected %s, got %s", opts.ExpectedURI, eventURI)
+                }
+        }
+        // Validate 'method' tag
+        if opts.ExpectedMethod != "" {
+                methodTag := event.Tags.Find("method")
+                if methodTag == nil {
+                        return fmt.Errorf("missing 'method' tag in auth event")
+                }
+                eventMethod := methodTag.Value()
+                if eventMethod != opts.ExpectedMethod {
+                        return fmt.Errorf("method mismatch: expected %s, got %s", opts.ExpectedMethod, eventMethod)
+                }
+        }
+        // Validate payload hash if requested
+        if opts.ValidatePayload && opts.PayloadHash != "" {
+                payloadTag := event.Tags.Find("payload")
+                if payloadTag == nil {
+                        return fmt.Errorf("missing 'payload' tag in auth event")
+                }
+                eventHash := payloadTag.Value()
+                if eventHash != opts.PayloadHash {
+                        return fmt.Errorf("payload hash mismatch")
+                }
+        }
+        return nil
+}
+// ExtractPubkey returns the pubkey from a validated auth event.
+func ExtractPubkey(event *nostr.Event) string {
+        return event.PubKey
+}
author	bndw <ben@bdw.to>	2026-02-14 08:39:37 -0800
committer	bndw <ben@bdw.to>	2026-02-14 08:39:37 -0800
commit	756c325223ef744b476ade565cb1970c7717d053 (patch)
tree	56ca7b864c686f8a8b9f23ed462ee187d8b30a7e /internal/auth/validation.go
parent	44872a7642c31166fc500d2d81ff9a9abdeeb727 (diff)

diff --git a/internal/auth/validation.go b/internal/auth/validation.go new file mode 100644 index 0000000..11435ee --- /dev/null +++ b/internal/auth/validation.go
@@ -0,0 +1,133 @@
	1	package auth
	2
	3	import (
	4	"encoding/base64"
	5	"encoding/json"
	6	"fmt"
	7	"strings"
	8	"time"
	9
	10	"northwest.io/muxstr/internal/nostr"
	11	)
	12
	13	// ValidationOptions configures how NIP-98 events are validated.
	14	type ValidationOptions struct {
	15	// TimestampWindow is the maximum age of events in seconds
	16	TimestampWindow int64
	17
	18	// ValidatePayload checks the payload hash if present
	19	ValidatePayload bool
	20
	21	// ExpectedURI is the URI that should match the 'u' tag
	22	ExpectedURI string
	23
	24	// ExpectedMethod is the method that should match the 'method' tag
	25	ExpectedMethod string
	26
	27	// PayloadHash is the expected payload hash (if ValidatePayload is true)
	28	PayloadHash string
	29	}
	30
	31	// ParseAuthHeader extracts and decodes a NIP-98 event from an Authorization header.
	32	// Expected format: "Nostr <base64-encoded-event-json>"
	33	func ParseAuthHeader(header string) (*nostr.Event, error) {
	34	if header == "" {
	35	return nil, fmt.Errorf("empty authorization header")
	36	}
	37
	38	// Check for "Nostr " prefix
	39	if !strings.HasPrefix(header, "Nostr ") {
	40	return nil, fmt.Errorf("invalid authorization header: must start with 'Nostr '")
	41	}
	42
	43	// Extract base64 part
	44	encoded := strings.TrimPrefix(header, "Nostr ")
	45	if encoded == "" {
	46	return nil, fmt.Errorf("empty authorization token")
	47	}
	48
	49	// Decode base64
	50	decoded, err := base64.StdEncoding.DecodeString(encoded)
	51	if err != nil {
	52	return nil, fmt.Errorf("invalid base64 encoding: %w", err)
	53	}
	54
	55	// Unmarshal event
	56	var event nostr.Event
	57	if err := json.Unmarshal(decoded, &event); err != nil {
	58	return nil, fmt.Errorf("invalid event JSON: %w", err)
	59	}
	60
	61	return &event, nil
	62	}
	63
	64	// ValidateAuthEvent validates a NIP-98 auth event according to the spec.
	65	func ValidateAuthEvent(event *nostr.Event, opts ValidationOptions) error {
	66	// Check event kind
	67	if event.Kind != 27235 {
	68	return fmt.Errorf("invalid event kind: expected 27235, got %d", event.Kind)
	69	}
	70
	71	// Verify signature
	72	if !event.Verify() {
	73	return fmt.Errorf("invalid event signature")
	74	}
	75
	76	// Check timestamp (prevent replay attacks)
	77	now := time.Now().Unix()
	78	age := now - event.CreatedAt
	79
	80	if age < 0 {
	81	return fmt.Errorf("event timestamp is in the future")
	82	}
	83
	84	if opts.TimestampWindow > 0 && age > opts.TimestampWindow {
	85	return fmt.Errorf("event too old: %d seconds (max %d)", age, opts.TimestampWindow)
	86	}
	87
	88	// Validate 'u' tag (URL)
	89	if opts.ExpectedURI != "" {
	90	uTag := event.Tags.Find("u")
	91	if uTag == nil {
	92	return fmt.Errorf("missing 'u' tag in auth event")
	93	}
	94
	95	eventURI := uTag.Value()
	96	if eventURI != opts.ExpectedURI {
	97	return fmt.Errorf("URI mismatch: expected %s, got %s", opts.ExpectedURI, eventURI)
	98	}
	99	}
	100
	101	// Validate 'method' tag
	102	if opts.ExpectedMethod != "" {
	103	methodTag := event.Tags.Find("method")
	104	if methodTag == nil {
	105	return fmt.Errorf("missing 'method' tag in auth event")
	106	}
	107
	108	eventMethod := methodTag.Value()
	109	if eventMethod != opts.ExpectedMethod {
	110	return fmt.Errorf("method mismatch: expected %s, got %s", opts.ExpectedMethod, eventMethod)
	111	}
	112	}
	113
	114	// Validate payload hash if requested
	115	if opts.ValidatePayload && opts.PayloadHash != "" {
	116	payloadTag := event.Tags.Find("payload")
	117	if payloadTag == nil {
	118	return fmt.Errorf("missing 'payload' tag in auth event")
	119	}
	120
	121	eventHash := payloadTag.Value()
	122	if eventHash != opts.PayloadHash {
	123	return fmt.Errorf("payload hash mismatch")
	124	}
	125	}
	126
	127	return nil
	128	}
	129
	130	// ExtractPubkey returns the pubkey from a validated auth event.
	131	func ExtractPubkey(event *nostr.Event) string {
	132	return event.PubKey
	133	}