From 66076d6ca75295ce27bd68c8b6e87801ea83dcb5 Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 27 May 2026 21:55:56 +0200 Subject: [PATCH] =?UTF-8?q?feat(signer):=20migrate=20Nostr=20publishing=20?= =?UTF-8?q?off=20account.prvkey=20=E2=86=92=20resolve=5Ffor=5Fwallet=20(#2?= =?UTF-8?q?3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes aiolabs/events#23. Pre-cascade prerequisite for aiolabs/lnbits#17 (signer abstraction phase 1), which lands an m002 startup job that NULLs the legacy `accounts.prvkey` column. After this migration, the events extension reads no plaintext nsec and works with any NostrSigner backend (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). ## What changed ### nostr_hooks.py — publish_or_delete_nostr_event Was: pulled `(account.pubkey, account.prvkey)` from the wallet owner, passed both to `publish_event_to_nostr`. Hard-skipped publish when `account.prvkey` was None. Now: calls `await resolve_for_wallet(event.wallet)` (the DRY helper from aiolabs/lnbits#23 — wallet → account → signer → can_sign-check in one call, returns None on any soft-fail). Passes the resolved `NostrSigner` to the publisher. Soft-skip on None (wallet missing, account unclassified, or ClientSideOnlySigner where the server has no signing authority) — matching previous "no prvkey" behavior. ### nostr_publisher.py — publish_event_to_nostr Was: accepted `(account_pubkey, account_prvkey)` and signed via a local `sign_nostr_event` helper that called `coincurve.PrivateKey .sign_schnorr` directly on the plaintext nsec. Now: accepts `signer: NostrSigner`. Builds the unsigned event dict (`kind`/`created_at`/`tags`/`content`), hands it to `await signer.sign_event(...)`, reconstructs the local `NostrEvent` model from the signed dict (`id`/`pubkey`/`sig` fields). The signer backend (LocalSigner / RemoteBunkerSigner) is transparent. Removed the `sign_nostr_event` helper entirely — the signer abstraction handles all signing now. Dropped the `coincurve` import; no direct crypto in this extension. ## Acceptance - [x] keypair helper replaced (nostr_hooks no longer touches account.prvkey) - [x] publish_event_to_nostr accepts NostrSigner instead of (pubkey, prvkey) - [x] extension-local Schnorr code removed (sign_nostr_event gone) - [x] re-grep `events/`: zero `account.prvkey` references - [x] version bumped: 1.6.1-aio.3 → 1.6.1-aio.4 Manual smoke testing + tag + catalog entry follow the migration landing; will run against the regtest stack with lnbits on `issue-18-phase-2.3` (which validates both LocalSigner and RemoteBunkerSigner signing paths end-to-end). ## Cross-references - aiolabs/events#23 — issue this commit closes - aiolabs/lnbits#17 — the cascading signer-abstraction PR - aiolabs/lnbits#23 — the resolve_for_wallet helper this uses - aiolabs/lnbits#26 — phase 2.3 (sign_event over bunker, validated against aiolabs/nsecbunkerd@fb1c239) - aiolabs/lnbits#21 — umbrella audit identifying 5 affected extensions Co-Authored-By: Claude Opus 4.7 (1M context) --- config.json | 2 +- nostr_hooks.py | 27 ++++++++++++++++----------- nostr_publisher.py | 42 +++++++++++++++++++++++++++--------------- 3 files changed, 44 insertions(+), 27 deletions(-) diff --git a/config.json b/config.json index 021565f..9691da4 100644 --- a/config.json +++ b/config.json @@ -1,6 +1,6 @@ { "id": "events", - "version": "1.6.1-aio.3", + "version": "1.6.1-aio.4", "name": "Events", "repo": "https://git.atitlan.io/aiolabs/events", "short_description": "Sell and register event tickets", diff --git a/nostr_hooks.py b/nostr_hooks.py index 3211b24..32ea11c 100644 --- a/nostr_hooks.py +++ b/nostr_hooks.py @@ -15,25 +15,30 @@ from .nostr_publisher import publish_event_to_nostr async def publish_or_delete_nostr_event(event: Event, *, delete: bool = False) -> None: """Publish or delete the NIP-52 calendar event for `event`. - Pulls the wallet owner's pubkey/prvkey to sign with the user's identity. - Failures are logged and swallowed so a Nostr outage doesn't break the - HTTP flow that triggered the publish. + Resolves a `NostrSigner` for the wallet owner — backend-agnostic + (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). The + signer abstraction handles the actual key material; this hook + only needs `signer.pubkey` for event construction and + `await signer.sign_event(...)` for signing. Failures are logged + and swallowed so a Nostr outage doesn't break the HTTP flow that + triggered the publish. """ try: - from lnbits.core.crud.users import get_account - from lnbits.core.crud.wallets import get_wallet + from lnbits.core.signers import resolve_for_wallet from . import nostr_client - wallet_obj = await get_wallet(event.wallet) - if not wallet_obj: - return - account = await get_account(wallet_obj.user) - if not account or not account.pubkey or not account.prvkey: + signer = await resolve_for_wallet(event.wallet) + if signer is None: + # Wallet missing, account missing, unclassified row, or + # ClientSideOnlySigner account (server can't sign for them). + # Soft-fail: skip the publish silently. The user can still + # publish kind-31922/31923 events client-side once we have + # that path. return nostr_event = await publish_event_to_nostr( - nostr_client, event, account.pubkey, account.prvkey, delete=delete + nostr_client, event, signer, delete=delete ) if nostr_event and not delete: event.nostr_event_id = nostr_event.id diff --git a/nostr_publisher.py b/nostr_publisher.py index 6867041..81324fc 100644 --- a/nostr_publisher.py +++ b/nostr_publisher.py @@ -1,8 +1,9 @@ """ NIP-52 calendar event publishing for the events extension. -Builds NIP-52 calendar events from the Event model, signs them with the -creator's Account keypair, and publishes via the NostrClient. +Builds NIP-52 calendar events from the Event model, signs them via the +core `NostrSigner` abstraction (backend-agnostic: LocalSigner, +RemoteBunkerSigner, etc.), and publishes via the NostrClient. Kind 31922 is used for date-only events; kind 31923 (time-based) is used when event_start_date / event_end_date include a time component. @@ -13,7 +14,7 @@ Reference: https://github.com/nostr-protocol/nips/blob/master/52.md import time from datetime import datetime, timezone -import coincurve +from lnbits.core.signers import NostrSigner from loguru import logger from .models import Event @@ -142,23 +143,20 @@ def build_nip52_delete_event(event: Event, pubkey: str) -> NostrEvent: return nostr_event -def sign_nostr_event(nostr_event: NostrEvent, private_key_hex: str) -> None: - """Sign a NostrEvent in-place using Schnorr signature.""" - privkey = coincurve.PrivateKey(bytes.fromhex(private_key_hex)) - sig = privkey.sign_schnorr(bytes.fromhex(nostr_event.id)) - nostr_event.sig = sig.hex() - - async def publish_event_to_nostr( nostr_client, event: Event, - account_pubkey: str, - account_prvkey: str, + signer: NostrSigner, delete: bool = False, ) -> NostrEvent | None: """ Build, sign, and publish a NIP-52 calendar event (or delete event). + Signing routes through the core `NostrSigner` abstraction — + `signer.pubkey` for the event identity, `await signer.sign_event(...)` + for the Schnorr signature. The signer backend (LocalSigner / + RemoteBunkerSigner) is transparent to this function. + Returns the published NostrEvent for metadata storage, or None on failure. """ if not nostr_client: @@ -167,11 +165,25 @@ async def publish_event_to_nostr( try: if delete: - nostr_event = build_nip52_delete_event(event, account_pubkey) + nostr_event = build_nip52_delete_event(event, signer.pubkey) else: - nostr_event = build_nip52_event(event, account_pubkey) + nostr_event = build_nip52_event(event, signer.pubkey) + + # Hand the unsigned event to the signer — it fills in `id`, + # `pubkey`, and `sig`. The signer's serialization rules match + # NIP-01 (same as the local `event_id` property uses), so the + # returned id matches what we'd have computed locally. + unsigned = { + "kind": nostr_event.kind, + "created_at": nostr_event.created_at, + "tags": nostr_event.tags, + "content": nostr_event.content, + } + signed = await signer.sign_event(unsigned) + nostr_event.id = signed["id"] + nostr_event.pubkey = signed["pubkey"] + nostr_event.sig = signed["sig"] - sign_nostr_event(nostr_event, account_prvkey) await nostr_client.publish_nostr_event(nostr_event) logger.info(