feat(signer): migrate Nostr publishing off account.prvkey → resolve_for_wallet (#23)

Closes aiolabs/events#23. Pre-cascade prerequisite for aiolabs/lnbits#17 (signer abstraction phase 1), which lands an m002 startup job that NULLs the legacy `accounts.prvkey` column. After this migration, the events extension reads no plaintext nsec and works with any NostrSigner backend (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). ## What changed ### nostr_hooks.py — publish_or_delete_nostr_event Was: pulled `(account.pubkey, account.prvkey)` from the wallet owner, passed both to `publish_event_to_nostr`. Hard-skipped publish when `account.prvkey` was None. Now: calls `await resolve_for_wallet(event.wallet)` (the DRY helper from aiolabs/lnbits#23 — wallet → account → signer → can_sign-check in one call, returns None on any soft-fail). Passes the resolved `NostrSigner` to the publisher. Soft-skip on None (wallet missing, account unclassified, or ClientSideOnlySigner where the server has no signing authority) — matching previous "no prvkey" behavior. ### nostr_publisher.py — publish_event_to_nostr Was: accepted `(account_pubkey, account_prvkey)` and signed via a local `sign_nostr_event` helper that called `coincurve.PrivateKey .sign_schnorr` directly on the plaintext nsec. Now: accepts `signer: NostrSigner`. Builds the unsigned event dict (`kind`/`created_at`/`tags`/`content`), hands it to `await signer.sign_event(...)`, reconstructs the local `NostrEvent` model from the signed dict (`id`/`pubkey`/`sig` fields). The signer backend (LocalSigner / RemoteBunkerSigner) is transparent. Removed the `sign_nostr_event` helper entirely — the signer abstraction handles all signing now. Dropped the `coincurve` import; no direct crypto in this extension. ## Acceptance - [x] keypair helper replaced (nostr_hooks no longer touches account.prvkey) - [x] publish_event_to_nostr accepts NostrSigner instead of (pubkey, prvkey) - [x] extension-local Schnorr code removed (sign_nostr_event gone) - [x] re-grep `events/`: zero `account.prvkey` references - [x] version bumped: 1.6.1-aio.3 → 1.6.1-aio.4 Manual smoke testing + tag + catalog entry follow the migration landing; will run against the regtest stack with lnbits on `issue-18-phase-2.3` (which validates both LocalSigner and RemoteBunkerSigner signing paths end-to-end). ## Cross-references - aiolabs/events#23 — issue this commit closes - aiolabs/lnbits#17 — the cascading signer-abstraction PR - aiolabs/lnbits#23 — the resolve_for_wallet helper this uses - aiolabs/lnbits#26 — phase 2.3 (sign_event over bunker, validated against aiolabs/nsecbunkerd@fb1c239) - aiolabs/lnbits#21 — umbrella audit identifying 5 affected extensions Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 21:55:56 +02:00 · 2026-05-27 21:55:56 +02:00 · 66076d6ca7
commit 66076d6ca7
parent 37fad05c1f
3 changed files with 44 additions and 27 deletions
--- a/nostr_hooks.py
+++ b/nostr_hooks.py
@ -15,25 +15,30 @@ from .nostr_publisher import publish_event_to_nostr
 async def publish_or_delete_nostr_event(event: Event, *, delete: bool = False) -> None:
    """Publish or delete the NIP-52 calendar event for `event`.

-    Pulls the wallet owner's pubkey/prvkey to sign with the user's identity.
-    Failures are logged and swallowed so a Nostr outage doesn't break the
-    HTTP flow that triggered the publish.
+    Resolves a `NostrSigner` for the wallet owner — backend-agnostic
+    (LocalSigner / RemoteBunkerSigner / ClientSideOnlySigner). The
+    signer abstraction handles the actual key material; this hook
+    only needs `signer.pubkey` for event construction and
+    `await signer.sign_event(...)` for signing. Failures are logged
+    and swallowed so a Nostr outage doesn't break the HTTP flow that
+    triggered the publish.
    """
    try:
-        from lnbits.core.crud.users import get_account
-        from lnbits.core.crud.wallets import get_wallet
+        from lnbits.core.signers import resolve_for_wallet

        from . import nostr_client

-        wallet_obj = await get_wallet(event.wallet)
-        if not wallet_obj:
-            return
-        account = await get_account(wallet_obj.user)
-        if not account or not account.pubkey or not account.prvkey:
+        signer = await resolve_for_wallet(event.wallet)
+        if signer is None:
+            # Wallet missing, account missing, unclassified row, or
+            # ClientSideOnlySigner account (server can't sign for them).
+            # Soft-fail: skip the publish silently. The user can still
+            # publish kind-31922/31923 events client-side once we have
+            # that path.
            return

        nostr_event = await publish_event_to_nostr(
-            nostr_client, event, account.pubkey, account.prvkey, delete=delete
+            nostr_client, event, signer, delete=delete
        )
        if nostr_event and not delete:
            event.nostr_event_id = nostr_event.id