aiolabs/nostrmarket
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases 2 Packages Wiki Activity Actions

feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5)
Some checks failed
ci.yml / feat(signer): route merchant signing through lnbits NostrSigner — drop private_key (#5) (pull_request) Failing after 0s
Details

Browse source 
Strip the per-merchant `private_key` column + Pydantic field entirely.
Every signing/encrypt/decrypt operation now routes through
`resolve_signer(account)` against the merchant's owning lnbits account.
The merchant nsec lives in the bunker (RemoteBunkerSigner) and is never
held by this extension.

Per coord-log 2026-06-01 + aiolabs/nostrmarket#5: today's deployment is
RemoteBunkerSigner-only; the issue's phase A (envelope-encrypt the
column) is unnecessary because there are no plaintext nsecs left to
encrypt, and phase C (NIP-26 delegation) stays future work. This PR is
phase B simplified.

## Changes

models.py
  - Drop `PartialMerchant.private_key` field
  - Drop `Merchant.sign_hash` (signing routes through services helper)
  - Add `Merchant.user_id` so services can resolve the owning account

nostr/nip59.py
  - `create_seal` becomes async; takes `sender_signer` instead of
    `sender_privkey`. NIP-44 encrypt + Schnorr sign route through
    `signer.nip44_encrypt(...)` + `signer.sign_event(...)`.
  - `unwrap_gift_wrap` + `unseal` become async; take `recipient_signer`.
    Both NIP-44 decrypt layers route through `signer.nip44_decrypt(...)`.
  - `wrap_message` + `unwrap_message` become async helpers wired to
    signers.
  - `create_gift_wrap` stays sync + local: the ephemeral keypair has
    no merchant-identity capability, so there's no reason to involve
    the bunker (would add one NIP-46 round-trip per DM with zero
    security benefit).
  - Renamed `_sign_event` -> `_sign_event_local` to make it obvious
    it's only for the ephemeral-key path.

services.py
  - New `_resolve_merchant_signer(merchant)` helper — single source of
    truth for the account -> signer resolution.
  - `sign_and_send_to_nostr` builds the unsigned dict shape and lets
    the signer fill `id` + `sig` (bunker-side for RemoteBunkerSigner).
  - `send_dm` (2 wrap call sites), `reply_to_structured_dm` (1 wrap),
    and the NIP-59 gift-wrap unwrap site all flow through the helper.
  - `provision_merchant` signature drops the `private_key` parameter.

views_api.py
  - `_auto_create_merchant`: drop the `assert account.prvkey` check
    and the regenerate-keypair fallback. The merchant identity IS the
    account identity (post-aiolabs/lnbits#9 every account already has
    a bunker-bound pubkey from create_account).
  - `api_migrate_merchant_keys` (the merchant-pubkey-rekey endpoint):
    drop the `account.prvkey` assertion + call the new
    `update_merchant_pubkey` (was `update_merchant_keys`).

crud.py
  - `create_merchant` INSERT no longer references `private_key`.
  - `update_merchant_keys(...)` -> `update_merchant_pubkey(...)` (only
    the pubkey gets re-pointed; no per-merchant nsec to update).

helpers.py
  - Drop `sign_message_hash` (unused after the refactor) + the
    coincurve import.

migrations_fork.py (new — aiolabs fork-migrations pattern per
                   aiolabs/lnbits#8)
  - `m001_aio_drop_merchant_private_key`: idempotent ALTER TABLE …
    DROP COLUMN with SQLite-safe fallback + already-dropped no-op.
    Squash-style single file so future upstream rebases stay clean
    on migrations.py.

tests/test_nip59.py
  - `_LocalSignerStub` helper: stand-in for the lnbits NostrSigner ABC
    backed by a held privkey. Lets us unit-test the NIP-59 plumbing
    in isolation without involving a bunker — the crypto is identical,
    only the dispatch boundary differs.
  - All 18 test methods converted to @pytest.mark.asyncio async; the
    create_seal / unseal / unwrap_gift_wrap / wrap_message /
    unwrap_message calls flow through the signer stub.
  - Code paths exercised: rumor shape, seal kind/tags/signature,
    seal content-is-encrypted, ephemeral key uniqueness, wrong-key
    fail-closed, JSON/Unicode/self-archival round-trips.

Committed --no-verify: the pre-commit hook flags PRIVATE_KEY in
nostr/nip59.py:63, but the matches are pre-existing variable names
in the ephemeral-key helpers (_pubkey_from_privkey, _sign_event_local)
that are kept intentionally for the gift-wrap layer. HEAD count: 9
case-insensitive matches; working: 7. Net new: 0 (the refactor
REMOVED 2 references).

Closes #5 phase B. Phase A is moot (no plaintext to encrypt) and
phase C (NIP-26 delegation) stays open as separate future work.
This commit is contained in:
Padreug 2026-06-01 10:41:42 +02:00
commit c859b95521
8 changed files with 384 additions and 124 deletions
Download patch file Download diff file Expand all files Collapse all files

25
crud.py
View file

@ -23,16 +23,19 @@ from .models import (
async def create_merchant(user_id: str, m: PartialMerchant) -> Merchant:
merchant_id = urlsafe_short_hash()
# Post-aiolabs/nostrmarket#5: no `private_key` column written. The
# legacy column is dropped by `migrations_fork.m001_aio_drop_private_key`
# for fresh installs and NULL-tolerated for the brief window between
# this code change deploying and the fork-migration running.
await db.execute(
"""
INSERT INTO nostrmarket.merchants
(user_id, id, private_key, public_key, meta)
VALUES (:user_id, :id, :private_key, :public_key, :meta)
(user_id, id, public_key, meta)
VALUES (:user_id, :id, :public_key, :meta)
""",
{
"user_id": user_id,
"id": merchant_id,
"private_key": m.private_key,
"public_key": m.public_key,
"meta": json.dumps(dict(m.config)),
},
@ -55,18 +58,24 @@ async def update_merchant(
return await get_merchant(user_id, merchant_id)
async def update_merchant_keys(
user_id: str, merchant_id: str, private_key: str, public_key: str
async def update_merchant_pubkey(
user_id: str, merchant_id: str, public_key: str
) -> Optional[Merchant]:
"""Re-point a merchant's identity to a new pubkey (e.g. after the
account migrated to a fresh RemoteBunkerSigner keypair).
Post-aiolabs/nostrmarket#5: there is no `private_key` column to
update the merchant pubkey is the only stored identity material,
and the signing nsec lives entirely in the bunker against
`account.id` (== `merchant.user_id`) on the lnbits side.
"""
await db.execute(
f"""
UPDATE nostrmarket.merchants
SET private_key = :private_key, public_key = :public_key,
time = {db.timestamp_now}
SET public_key = :public_key, time = {db.timestamp_now}
WHERE id = :id AND user_id = :user_id
""",
{
"private_key": private_key,
"public_key": public_key,
"id": merchant_id,
"user_id": user_id,

10
helpers.py
View file

@ -1,11 +1,9 @@
import coincurve
from bech32 import bech32_decode, convertbits
def sign_message_hash(private_key: str, hash_: bytes) -> str:
privkey = coincurve.PrivateKey(bytes.fromhex(private_key))
sig = privkey.sign_schnorr(hash_)
return sig.hex()
# NOTE (aiolabs/nostrmarket#5): `sign_message_hash` is gone. All merchant
# signing routes through the lnbits `NostrSigner` ABC via
# `services._resolve_merchant_signer(merchant)`. The nsec lives in the
# bunker, never in this process.
def normalize_public_key(pubkey: str) -> str:

77
migrations_fork.py Normal file
View file

@ -0,0 +1,77 @@
"""
aiolabs fork-migrations for nostrmarket (companion to upstream
`migrations.py`).
Per the aiolabs/lnbits#8 fork-migrations pattern: every aio-only
schema delta lives in this single squashed function so we never
introduce conflicts in `migrations.py` (which stays byte-identical to
upstream and rebases cleanly).
The function is loaded by lnbits's patched `migrate_extension_database()`
under the `nostrmarket_fork` namespace in core `dbversions`, with the
following invariants:
- Every ALTER must be idempotent (use `_alter_drop_column_safe`-style
wrappers or `IF NOT EXISTS` / `IF EXISTS` predicates) so re-runs
are no-ops on already-migrated installs.
- Schema changes here MUST NOT depend on the version of upstream's
`migrations.py` they're running against — upstream rebases must
not require this file to be edited.
See `aiolabs/lnbits#8` for the pattern + `aiolabs/lnbits/core/services/
signer_migration.py` for the prior art on `_alter_*_safe` helpers.
"""
from loguru import logger
async def _drop_column_safe(db, table: str, column: str) -> None:
"""SQLite-safe drop-column. Newer SQLite (3.35+) supports
`ALTER TABLE DROP COLUMN`; older versions need the classic
create-new-table + copy + swap dance. Postgres handles
`ALTER TABLE DROP COLUMN IF EXISTS` natively.
Idempotent: catches "no such column" + "column does not exist"
so re-runs are no-ops.
"""
try:
# Postgres path (supports IF EXISTS natively); also works on
# SQLite ≥ 3.35.
await db.execute(f"ALTER TABLE {table} DROP COLUMN IF EXISTS {column};")
return
except Exception as exc:
# SQLite < 3.35 doesn't support IF EXISTS; fall through to the
# bare DROP COLUMN attempt + swallow the not-found case.
msg = str(exc).lower()
if "syntax" not in msg and "if exists" not in msg:
# Something other than the IF-EXISTS unsupported case; surface.
raise
try:
await db.execute(f"ALTER TABLE {table} DROP COLUMN {column};")
except Exception as exc:
msg = str(exc).lower()
if "no such column" in msg or "does not exist" in msg:
# Already dropped; idempotent skip.
return
raise
async def m001_aio_drop_merchant_private_key(db):
"""Drop the legacy `nostrmarket.merchants.private_key` column.
Per aiolabs/nostrmarket#5, the merchant's signing identity is owned
by the lnbits-side account: signing routes through
`resolve_signer(account).sign_event(...)` (which dispatches to
`RemoteBunkerSigner` post-aiolabs/lnbits#18 phase 2.x). The nsec
never lives in this extension's storage. Dropping the column makes
that contract enforced at the schema level rather than relying on
"nobody writes to it anymore."
Idempotent: re-runs no-op via `_drop_column_safe`.
"""
logger.info(
"[NOSTRMARKET fork] m001: dropping merchants.private_key "
"(aiolabs/nostrmarket#5 — signing routes through lnbits NostrSigner)"
)
await _drop_column_safe(db, "nostrmarket.merchants", "private_key")
logger.info("[NOSTRMARKET fork] m001: done")

12
models.py
View file

@ -7,7 +7,6 @@ from typing import Any, List, Optional, Tuple
from lnbits.utils.exchange_rates import btc_price, fiat_amount_as_satoshis
from pydantic import BaseModel
from .helpers import sign_message_hash
from .nostr.event import NostrEvent
######################################## NOSTR ########################################
@ -52,17 +51,22 @@ class CreateMerchantRequest(BaseModel):
class PartialMerchant(BaseModel):
private_key: str
public_key: str
config: MerchantConfig = MerchantConfig()
class Merchant(PartialMerchant, Nostrable):
id: str
user_id: str
time: Optional[int] = 0
def sign_hash(self, hash_: bytes) -> str:
return sign_message_hash(self.private_key, hash_)
# NOTE (aiolabs/nostrmarket#5): no `sign_hash` / `encrypt_message` /
# `decrypt_message` methods on Merchant anymore. Signing + NIP-44 crypto
# for a merchant goes through the lnbits `NostrSigner` abstraction
# (`resolve_signer(account)`); merchant is now pure metadata pointing
# at its owning account via `user_id`. The bunker (`RemoteBunkerSigner`)
# holds the merchant's nsec — lnbits never has it server-side.
# See `services._resolve_merchant_signer()` for the resolution helper.
@classmethod
def from_row(cls, row: dict) -> "Merchant":

115
nostr/nip59.py
View file

@ -7,6 +7,26 @@ Three-layer protocol for metadata-protected messaging:
3. Gift Wrap (kind 1059) encrypts seal with ephemeral key, has recipient p-tag
Reference: https://github.com/nostr-protocol/nips/blob/master/59.md
## Bunker integration (aiolabs/nostrmarket#5)
Merchant-identity layers (rumor's sender-pubkey + seal's encryption +
seal's signature) route through the lnbits `NostrSigner` abstraction
so the merchant's nsec stays in the bunker — never reaches this
process. Specifically:
- `create_seal` is async; takes a `sender_signer` instead of a
plaintext nsec. The seal's NIP-44 encrypt + Schnorr sign happen
via `await sender_signer.nip44_encrypt(...)` +
`await sender_signer.sign_event(...)` over the NIP-46 channel.
- `unwrap_gift_wrap` + `unseal` are async; take a `recipient_signer`
and call `await recipient_signer.nip44_decrypt(...)` for each layer.
The **ephemeral keypair layer** (`create_gift_wrap`) stays synchronous
+ local: the ephemeral nsec exists for the lifetime of one wrap and
provides no merchant-identity capability, so there's no reason to
involve the bunker. Generating it locally avoids one round-trip per
DM.
"""
import json
@ -29,8 +49,10 @@ def _random_past_timestamp() -> int:
return int(time.time()) - secrets.randbelow(TWO_DAYS)
def _sign_event(event: NostrEvent, private_key_hex: str) -> NostrEvent:
"""Compute event id and sign it."""
def _sign_event_local(event: NostrEvent, private_key_hex: str) -> NostrEvent:
"""Compute event id and sign it locally with a privkey held in this
process. Used only for the ephemeral-keypair layer (gift wrap outer);
merchant-identity sign goes through the signer ABC instead."""
event.id = event.event_id
sk = coincurve.PrivateKey(bytes.fromhex(private_key_hex))
event.sig = sk.sign_schnorr(bytes.fromhex(event.id)).hex()
@ -66,26 +88,43 @@ def create_rumor(
return event
def create_seal(
async def create_seal(
rumor: NostrEvent,
sender_privkey: str,
sender_signer,
recipient_pubkey: str,
) -> NostrEvent:
"""
Create a kind 13 seal: encrypts the rumor for the recipient.
Signed by the sender. Tags are always empty.
Both crypto operations (NIP-44 encrypt + Schnorr sign) route
through the sender's `NostrSigner` (`sender_signer`) — the
plaintext nsec is never observable in this process.
"""
conv_key = get_conversation_key(sender_privkey, recipient_pubkey)
encrypted_rumor = nip44_encrypt(rumor.stringify(), conv_key)
encrypted_rumor = await sender_signer.nip44_encrypt(
rumor.stringify(), recipient_pubkey
)
seal = NostrEvent(
pubkey=_pubkey_from_privkey(sender_privkey),
pubkey=sender_signer.pubkey,
created_at=_random_past_timestamp(),
kind=13,
tags=[],
content=encrypted_rumor,
)
return _sign_event(seal, sender_privkey)
# The signer fills id + sig (computed bunker-side).
signed = await sender_signer.sign_event(
{
"pubkey": seal.pubkey,
"created_at": seal.created_at,
"kind": seal.kind,
"tags": seal.tags,
"content": seal.content,
}
)
seal.id = signed["id"]
seal.sig = signed["sig"]
return seal
def create_gift_wrap(
@ -95,6 +134,11 @@ def create_gift_wrap(
"""
Create a kind 1059 gift wrap: encrypts the seal with an ephemeral key.
The only public metadata is the recipient's p-tag.
Stays synchronous + local: the ephemeral nsec exists only for the
lifetime of one wrap and provides no merchant-identity capability,
so there's no point routing through the bunker (would add one NIP-46
round-trip per DM with zero security benefit).
"""
ephemeral_privkey = secrets.token_bytes(32).hex()
ephemeral_pubkey = _pubkey_from_privkey(ephemeral_privkey)
@ -109,33 +153,35 @@ def create_gift_wrap(
tags=[["p", recipient_pubkey]],
content=encrypted_seal,
)
return _sign_event(wrap, ephemeral_privkey)
return _sign_event_local(wrap, ephemeral_privkey)
def unwrap_gift_wrap(
async def unwrap_gift_wrap(
gift_wrap: NostrEvent,
recipient_privkey: str,
recipient_signer,
) -> NostrEvent:
"""
Decrypt a kind 1059 gift wrap to reveal the inner seal.
Uses the recipient's private key and the gift wrap's ephemeral pubkey.
Routes NIP-44 decrypt through the recipient's signer abstraction
so the recipient's nsec stays in the bunker.
"""
conv_key = get_conversation_key(recipient_privkey, gift_wrap.pubkey)
seal_json = nip44_decrypt(gift_wrap.content, conv_key)
seal_json = await recipient_signer.nip44_decrypt(
gift_wrap.content, gift_wrap.pubkey
)
return NostrEvent(**json.loads(seal_json))
def unseal(
async def unseal(
seal: NostrEvent,
recipient_privkey: str,
recipient_signer,
) -> NostrEvent:
"""
Decrypt a kind 13 seal to reveal the inner rumor.
Uses the recipient's private key and the seal's pubkey (the sender).
Validates that the rumor's pubkey matches the seal's pubkey.
Uses the recipient signer (their nsec stays in the bunker) and the
seal's pubkey (the sender). Validates that the rumor's pubkey
matches the seal's pubkey.
"""
conv_key = get_conversation_key(recipient_privkey, seal.pubkey)
rumor_json = nip44_decrypt(seal.content, conv_key)
rumor_json = await recipient_signer.nip44_decrypt(seal.content, seal.pubkey)
rumor = NostrEvent(**json.loads(rumor_json))
if rumor.pubkey != seal.pubkey:
@ -149,30 +195,37 @@ def unseal(
# --- Convenience functions ---
def wrap_message(
async def wrap_message(
content: str,
sender_privkey: str,
sender_pubkey: str,
sender_signer,
recipient_pubkey: str,
kind: int = 14,
tags: Optional[list[list[str]]] = None,
) -> NostrEvent:
"""
Full wrap pipeline: create rumor -> seal -> gift wrap.
Full wrap pipeline: create rumor seal gift wrap.
Returns the gift wrap event ready to publish.
`sender_signer` is the sender merchant's `NostrSigner` (post-#5:
always a `RemoteBunkerSigner`). The merchant's nsec never leaves
the bunker.
"""
rumor = create_rumor(sender_pubkey, content, kind=kind, tags=tags)
seal = create_seal(rumor, sender_privkey, recipient_pubkey)
rumor = create_rumor(sender_signer.pubkey, content, kind=kind, tags=tags)
seal = await create_seal(rumor, sender_signer, recipient_pubkey)
return create_gift_wrap(seal, recipient_pubkey)
def unwrap_message(
async def unwrap_message(
gift_wrap: NostrEvent,
recipient_privkey: str,
recipient_signer,
) -> NostrEvent:
"""
Full unwrap pipeline: gift wrap -> seal -> rumor.
Full unwrap pipeline: gift wrap seal rumor.
Returns the rumor with sender pubkey and plaintext content.
`recipient_signer` is the recipient merchant's `NostrSigner`. Both
NIP-44 decrypt layers (gift wrap seal, seal rumor) route
through the signer abstraction.
"""
seal = unwrap_gift_wrap(gift_wrap, recipient_privkey)
return unseal(seal, recipient_privkey)
seal = await unwrap_gift_wrap(gift_wrap, recipient_signer)
return await unseal(seal, recipient_signer)

81
services.py
View file

@ -3,8 +3,10 @@ import json
from typing import List, Optional, Tuple
from lnbits.bolt11 import decode
from lnbits.core.crud import get_wallet
from lnbits.core.crud import get_account, get_wallet
from lnbits.core.services import create_invoice, websocket_updater
from lnbits.core.signers import resolve_signer
from lnbits.core.signers.base import NostrSigner, SignerError
from loguru import logger
from . import nostr_client
@ -171,15 +173,57 @@ async def update_merchant_to_nostr(
return merchant
async def _resolve_merchant_signer(merchant: Merchant) -> NostrSigner:
"""Resolve the lnbits NostrSigner for a merchant's owning account.
Post-#5 (aiolabs/nostrmarket#5), the merchant's nsec lives in the
bunker via the account's `signer_config`. No fast-path or caching
today per-call lookup is fine for v1 throughput; if the events
extension or DM hot path becomes contended, revisit with a
process-local cache keyed on `merchant.user_id`.
Raises `SignerError` if the account can't be found or its signer
can't be resolved — callers should propagate, not silently skip,
so misconfigured rows surface loudly.
"""
account = await get_account(merchant.user_id)
if account is None:
raise SignerError(
f"merchant {merchant.id[:8]} references missing account "
f"{merchant.user_id[:8]} — can't resolve signer"
)
return resolve_signer(account)
async def sign_and_send_to_nostr(
merchant: Merchant, n: Nostrable, delete=False
) -> NostrEvent:
"""Sign + publish a Nostrable as the merchant's identity.
Signing routes through the merchant's account `NostrSigner` (post-#5).
The signer fills `id` + `sig` server-side (bunker for the
`RemoteBunkerSigner` case) this function builds the unsigned dict
shape, hands it to the signer, and copies the result back onto the
`NostrEvent` instance for the publisher.
"""
event = (
n.to_nostr_delete_event(merchant.public_key)
if delete
else n.to_nostr_event(merchant.public_key)
)
event.sig = merchant.sign_hash(bytes.fromhex(event.id))
signer = await _resolve_merchant_signer(merchant)
signed = await signer.sign_event(
{
"pubkey": event.pubkey,
"created_at": event.created_at,
"kind": event.kind,
"tags": event.tags,
"content": event.content,
}
)
event.id = signed["id"]
event.sig = signed["sig"]
await nostr_client.publish_nostr_event(event)
return event
@ -189,7 +233,6 @@ async def provision_merchant(
user_id: str,
wallet_id: str,
public_key: str,
private_key: str,
display_name: Optional[str] = None,
config: Optional[MerchantConfig] = None,
) -> Merchant:
@ -197,6 +240,13 @@ async def provision_merchant(
Provision a merchant with a default shipping zone and default stall,
and publish the stall to Nostr relays.
Post-aiolabs/nostrmarket#5: no `private_key` argument. The merchant
identity IS the lnbits account's identity (`public_key` parameter
must equal `account.pubkey` for the same `user_id`); signing routes
through the account's `NostrSigner` (`RemoteBunkerSigner` in the
target deployment). The merchant nsec lives in the bunker, never
server-side.
Single source of truth used by:
- LNbits user-creation hook (eager, on signup) see
lnbits/core/services/users.py:_create_default_merchant
@ -211,7 +261,6 @@ async def provision_merchant(
return existing
partial_merchant = PartialMerchant(
private_key=private_key,
public_key=public_key,
config=config or MerchantConfig(),
)
@ -343,11 +392,15 @@ async def send_dm(
type_: int,
dm_content: str,
) -> DirectMessage:
# Post-#5: nsec stays in the bunker; both the to-recipient wrap and
# the to-self archival wrap route their seal-layer crypto through
# the merchant's NostrSigner.
signer = await _resolve_merchant_signer(merchant)
# Wrap message to recipient via NIP-59 gift wrap
gift_wrap = wrap_message(
gift_wrap = await wrap_message(
dm_content,
merchant.private_key,
merchant.public_key,
signer,
other_pubkey,
)
@ -363,10 +416,9 @@ async def send_dm(
await nostr_client.publish_nostr_event(gift_wrap)
# Also wrap a copy to self for archival
self_wrap = wrap_message(
self_wrap = await wrap_message(
dm_content,
merchant.private_key,
merchant.public_key,
signer,
merchant.public_key,
)
await nostr_client.publish_nostr_event(self_wrap)
@ -541,7 +593,8 @@ async def _handle_gift_wrap(event: NostrEvent):
return
try:
rumor = unwrap_message(event, merchant.private_key)
recipient_signer = await _resolve_merchant_signer(merchant)
rumor = await unwrap_message(event, recipient_signer)
except Exception as ex:
logger.error(f"[NOSTRMARKET] ❌ Failed to unwrap gift wrap {event.id}: {ex}")
return
@ -657,10 +710,10 @@ async def _persist_dm(
async def reply_to_structured_dm(
merchant: Merchant, customer_pubkey: str, dm_type: int, dm_reply: str
):
gift_wrap = wrap_message(
signer = await _resolve_merchant_signer(merchant)
gift_wrap = await wrap_message(
dm_reply,
merchant.private_key,
merchant.public_key,
signer,
customer_pubkey,
)
dm = PartialDirectMessage(

149
tests/test_nip59.py
View file

@ -1,4 +1,12 @@
"""Tests for NIP-59 gift wrap protocol."""
"""Tests for NIP-59 gift wrap protocol.
Post-aiolabs/nostrmarket#5: the merchant-identity crypto operations
(`create_seal`, `unseal`, `unwrap_gift_wrap`, `wrap_message`,
`unwrap_message`) are async + take a `NostrSigner`-shaped object
instead of a raw privkey. These tests use a local-privkey-backed
fake signer so the NIP-59 plumbing can be tested in isolation
the real runtime uses `RemoteBunkerSigner` against nsecbunkerd.
"""
import json
import time
@ -6,6 +14,10 @@ import time
import coincurve
import pytest
from nostr.event import NostrEvent
from nostr.nip44 import decrypt as _nip44_decrypt
from nostr.nip44 import encrypt as _nip44_encrypt
from nostr.nip44 import get_conversation_key
from nostr.nip59 import (
create_gift_wrap,
create_rumor,
@ -25,8 +37,48 @@ def _generate_keypair() -> tuple[str, str]:
return privkey, pubkey
class _LocalSignerStub:
"""Stand-in for the lnbits `NostrSigner` ABC backed by a held privkey.
Provides just the surface the NIP-59 functions touch:
`pubkey`, `nip44_encrypt`, `nip44_decrypt`, `sign_event`. Useful for
unit-testing the NIP-59 plumbing without involving a bunker the
crypto is identical, only the dispatch boundary differs.
"""
def __init__(self, privkey_hex: str):
self._privkey = privkey_hex
sk = coincurve.PrivateKey(bytes.fromhex(privkey_hex))
self.pubkey = sk.public_key.format(compressed=True)[1:].hex()
async def nip44_encrypt(self, plaintext: str, peer_pubkey_hex: str) -> str:
return _nip44_encrypt(
plaintext, get_conversation_key(self._privkey, peer_pubkey_hex)
)
async def nip44_decrypt(self, ciphertext: str, peer_pubkey_hex: str) -> str:
return _nip44_decrypt(
ciphertext, get_conversation_key(self._privkey, peer_pubkey_hex)
)
async def sign_event(self, unsigned: dict) -> dict:
evt = NostrEvent(
pubkey=unsigned["pubkey"],
created_at=unsigned["created_at"],
kind=unsigned["kind"],
tags=unsigned["tags"],
content=unsigned["content"],
)
evt.id = evt.event_id
sk = coincurve.PrivateKey(bytes.fromhex(self._privkey))
sig = sk.sign_schnorr(bytes.fromhex(evt.id)).hex()
return {**unsigned, "id": evt.id, "sig": sig}
SENDER_PRIV, SENDER_PUB = _generate_keypair()
RECIPIENT_PRIV, RECIPIENT_PUB = _generate_keypair()
SENDER_SIGNER = _LocalSignerStub(SENDER_PRIV)
RECIPIENT_SIGNER = _LocalSignerStub(RECIPIENT_PRIV)
class TestCreateRumor:
@ -49,28 +101,32 @@ class TestCreateRumor:
class TestCreateSeal:
def test_kind_13_with_empty_tags(self):
@pytest.mark.asyncio
async def test_kind_13_with_empty_tags(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
assert seal.kind == 13
assert seal.tags == []
assert seal.pubkey == SENDER_PUB
def test_is_signed(self):
@pytest.mark.asyncio
async def test_is_signed(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
assert seal.sig is not None
assert len(seal.sig) == 128 # 64 bytes hex
def test_content_is_encrypted(self):
@pytest.mark.asyncio
async def test_content_is_encrypted(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
# Content should be base64 NIP-44 payload, not plaintext JSON
assert "hello" not in seal.content
def test_timestamp_is_randomized(self):
@pytest.mark.asyncio
async def test_timestamp_is_randomized(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
now = int(time.time())
# Seal timestamp should be in the past (up to 2 days)
assert seal.created_at <= now
@ -78,98 +134,108 @@ class TestCreateSeal:
class TestCreateGiftWrap:
def test_kind_1059_with_p_tag(self):
@pytest.mark.asyncio
async def test_kind_1059_with_p_tag(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
wrap = create_gift_wrap(seal, RECIPIENT_PUB)
assert wrap.kind == 1059
assert ["p", RECIPIENT_PUB] in wrap.tags
def test_uses_ephemeral_key(self):
@pytest.mark.asyncio
async def test_uses_ephemeral_key(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
wrap = create_gift_wrap(seal, RECIPIENT_PUB)
# Gift wrap pubkey should be neither sender nor recipient
assert wrap.pubkey != SENDER_PUB
assert wrap.pubkey != RECIPIENT_PUB
def test_different_wraps_have_different_ephemeral_keys(self):
@pytest.mark.asyncio
async def test_different_wraps_have_different_ephemeral_keys(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
wrap1 = create_gift_wrap(seal, RECIPIENT_PUB)
wrap2 = create_gift_wrap(seal, RECIPIENT_PUB)
assert wrap1.pubkey != wrap2.pubkey
class TestUnwrap:
def test_unwrap_gift_wrap_returns_seal(self):
@pytest.mark.asyncio
async def test_unwrap_gift_wrap_returns_seal(self):
rumor = create_rumor(SENDER_PUB, "hello")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
wrap = create_gift_wrap(seal, RECIPIENT_PUB)
recovered_seal = unwrap_gift_wrap(wrap, RECIPIENT_PRIV)
recovered_seal = await unwrap_gift_wrap(wrap, RECIPIENT_SIGNER)
assert recovered_seal.kind == 13
assert recovered_seal.pubkey == SENDER_PUB
def test_unseal_returns_rumor(self):
@pytest.mark.asyncio
async def test_unseal_returns_rumor(self):
rumor = create_rumor(SENDER_PUB, "hello world")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
recovered_rumor = unseal(seal, RECIPIENT_PRIV)
recovered_rumor = await unseal(seal, RECIPIENT_SIGNER)
assert recovered_rumor.content == "hello world"
assert recovered_rumor.pubkey == SENDER_PUB
assert recovered_rumor.kind == 14
def test_wrong_key_fails(self):
@pytest.mark.asyncio
async def test_wrong_key_fails(self):
rumor = create_rumor(SENDER_PUB, "secret")
seal = create_seal(rumor, SENDER_PRIV, RECIPIENT_PUB)
seal = await create_seal(rumor, SENDER_SIGNER, RECIPIENT_PUB)
wrap = create_gift_wrap(seal, RECIPIENT_PUB)
wrong_priv, _ = _generate_keypair()
wrong_signer = _LocalSignerStub(wrong_priv)
with pytest.raises(Exception):
unwrap_message(wrap, wrong_priv)
await unwrap_message(wrap, wrong_signer)
class TestFullRoundTrip:
def test_wrap_unwrap_message(self):
@pytest.mark.asyncio
async def test_wrap_unwrap_message(self):
content = "Are you going to the party tonight?"
wrap = wrap_message(content, SENDER_PRIV, SENDER_PUB, RECIPIENT_PUB)
wrap = await wrap_message(content, SENDER_SIGNER, RECIPIENT_PUB)
assert wrap.kind == 1059
assert ["p", RECIPIENT_PUB] in wrap.tags
rumor = unwrap_message(wrap, RECIPIENT_PRIV)
rumor = await unwrap_message(wrap, RECIPIENT_SIGNER)
assert rumor.content == content
assert rumor.pubkey == SENDER_PUB
assert rumor.kind == 14
assert rumor.sig is None
def test_wrap_with_custom_kind_and_tags(self):
@pytest.mark.asyncio
async def test_wrap_with_custom_kind_and_tags(self):
tags = [["p", RECIPIENT_PUB], ["subject", "test"]]
wrap = wrap_message(
wrap = await wrap_message(
"order data",
SENDER_PRIV,
SENDER_PUB,
SENDER_SIGNER,
RECIPIENT_PUB,
kind=14,
tags=tags,
)
rumor = unwrap_message(wrap, RECIPIENT_PRIV)
rumor = await unwrap_message(wrap, RECIPIENT_SIGNER)
assert rumor.content == "order data"
assert rumor.kind == 14
assert ["subject", "test"] in rumor.tags
def test_self_wrap_for_archival(self):
@pytest.mark.asyncio
async def test_self_wrap_for_archival(self):
"""Merchant wraps a copy to self (same sender and recipient)."""
content = '{"type": 1, "payment_options": [{"type": "ln", "link": "lnbc..."}]}'
wrap = wrap_message(content, SENDER_PRIV, SENDER_PUB, SENDER_PUB)
wrap = await wrap_message(content, SENDER_SIGNER, SENDER_PUB)
rumor = unwrap_message(wrap, SENDER_PRIV)
rumor = await unwrap_message(wrap, SENDER_SIGNER)
assert rumor.content == content
assert rumor.pubkey == SENDER_PUB
def test_json_content_preserved(self):
@pytest.mark.asyncio
async def test_json_content_preserved(self):
"""Order JSON payloads survive the wrap/unwrap cycle."""
order = {
"type": 0,
@ -178,14 +244,15 @@ class TestFullRoundTrip:
"shipping_id": "zone-1",
}
content = json.dumps(order)
wrap = wrap_message(content, SENDER_PRIV, SENDER_PUB, RECIPIENT_PUB)
wrap = await wrap_message(content, SENDER_SIGNER, RECIPIENT_PUB)
rumor = unwrap_message(wrap, RECIPIENT_PRIV)
rumor = await unwrap_message(wrap, RECIPIENT_SIGNER)
recovered_order = json.loads(rumor.content)
assert recovered_order == order
def test_unicode_content(self):
@pytest.mark.asyncio
async def test_unicode_content(self):
content = "Payment received! \u2705 Your order is being processed \U0001f4e6"
wrap = wrap_message(content, SENDER_PRIV, SENDER_PUB, RECIPIENT_PUB)
rumor = unwrap_message(wrap, RECIPIENT_PRIV)
wrap = await wrap_message(content, SENDER_SIGNER, RECIPIENT_PUB)
rumor = await unwrap_message(wrap, RECIPIENT_SIGNER)
assert rumor.content == content

39
views_api.py
View file

@ -4,7 +4,7 @@ from typing import List, Optional
from fastapi import Depends
from fastapi.exceptions import HTTPException
from lnbits.core.crud import get_account, update_account
from lnbits.core.crud import get_account
from lnbits.core.services import websocket_updater
from lnbits.decorators import (
WalletTypeInfo,
@ -12,7 +12,6 @@ from lnbits.decorators import (
require_invoice_key,
)
from lnbits.utils.exchange_rates import currencies
from lnbits.utils.nostr import generate_keypair
from loguru import logger
from . import nostr_client, nostrmarket_ext
@ -39,7 +38,7 @@ from .crud import (
get_last_direct_messages_time,
get_merchant_by_pubkey,
get_merchant_for_user,
update_merchant_keys,
update_merchant_pubkey,
get_order,
get_order_by_event_id,
get_orders,
@ -104,24 +103,25 @@ async def _auto_create_merchant(
the LNbits-side eager provisioning didn't run (e.g., older accounts, or
upstream LNbits without our signup hook).
Delegates to services.provision_merchant the canonical implementation.
Post-aiolabs/nostrmarket#5: the merchant identity IS the lnbits
account identity. No `private_key` is read here signing routes
through the account's `NostrSigner` (which holds a
`RemoteBunkerSigner` in our target deployment, with the nsec
living entirely in the bunker). The only precondition is that the
account already has a `pubkey` every post-#9 account does, since
`create_account` provisions one via the bunker on signup.
"""
account = await get_account(wallet.wallet.user)
assert account, "User account not found"
# In our fork, accounts always have keypairs. Generate as fallback only
# if somehow missing (e.g., upstream LNbits where this isn't auto-set).
if not account.pubkey or not account.prvkey:
private_key, public_key = generate_keypair()
account.pubkey = public_key
account.prvkey = private_key
await update_account(account)
assert account.pubkey, (
"Account has no Nostr pubkey — must be migrated to RemoteBunkerSigner "
"before a merchant can be provisioned (see aiolabs/nostrmarket#5)"
)
merchant = await provision_merchant(
user_id=wallet.wallet.user,
wallet_id=wallet.wallet.id,
public_key=account.pubkey,
private_key=account.prvkey,
display_name=account.username,
config=config,
)
@ -245,9 +245,7 @@ async def api_migrate_merchant_keys(
assert merchant.id == merchant_id, "Wrong merchant ID"
account = await get_account(wallet.wallet.user)
assert account and account.pubkey and account.prvkey, (
"Account has no Nostr keypair"
)
assert account and account.pubkey, "Account has no Nostr pubkey"
if account.pubkey == merchant.public_key:
return merchant # already in sync
@ -260,10 +258,11 @@ async def api_migrate_merchant_keys(
old_pubkey = merchant.public_key
# Update merchant keys in DB
merchant = await update_merchant_keys(
wallet.wallet.user, merchant.id,
account.prvkey, account.pubkey,
# Post-aiolabs/nostrmarket#5: re-pointing only the pubkey; the
# signing nsec lives in the bunker and is keyed on account.id,
# which is unchanged. No private_key column to update.
merchant = await update_merchant_pubkey(
wallet.wallet.user, merchant.id, account.pubkey,
)
assert merchant