go-nostr/nip26/nip26.go

package nip26

import (
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"strconv"
	"strings"
	"time"

	"github.com/btcsuite/btcd/btcec/v2"
	"github.com/btcsuite/btcd/btcec/v2/schnorr"
	"github.com/nbd-wtf/go-nostr"
)

type DelegationToken struct {
	delegator [32]byte
	token     [64]byte
	kinds     []int
	since     *time.Time
	until     *time.Time
	tag       [4]string
}

// Tag() returns the nostr formatted delegation tag for the DelegationToken d.
func (d *DelegationToken) Tag() nostr.Tag {
	return nostr.Tag(d.tag[:])
}

// Conditions() is the delegation conditions string as in NIP-26.
func (d *DelegationToken) Conditions() (conditions string) {
	for _, k := range d.kinds {
		conditions += fmt.Sprintf("kind=%d&", k)
	}
	if d.since != nil {
		conditions += fmt.Sprintf("created_at>%d&", d.since.Unix())
	}
	if d.until != nil {
		conditions += fmt.Sprintf("created_at<%d&", d.until.Unix())
	}
	return strings.TrimSuffix(conditions, "&")
}

// This error is returned by d.Parse(ev) if the event ev does not have a delegation token.
var NoDelegationTag error = fmt.Errorf("No Delegation Tag")

// This error is returned by Import(t,delegatee_pk) if the token signature verification fails.
var VerificationFailed error = fmt.Errorf("VerificationFailed")

// CheckDelegation reads the event and reports whether or not it is correctly delegated.
// If there is a delegation tag, the delegation token signature will be checked according to NIP-26.
// If there is no delegation tag, ok will be true and err will be nil.
// For checking many events, it is advisable to use Parse to reduce the number of memory allocations.
func CheckDelegation(ev *nostr.Event) (ok bool, err error) {
	d := new(DelegationToken)
	if ok, err := d.Parse(ev); ok == true && (err == nil || err == NoDelegationTag) {
		return true, nil
	} else {
		return false, err
	}
}

// Import verifies that t is NIP-26 delegation token for the given delegatee.
// The returned DelegationToken object can be used in DelegatedSign.
// If the token signature verification fails, the error VerificationFailed will be returned.
func Import(t nostr.Tag, delegatee_pk string) (d *DelegationToken, e error) {
	d = new(DelegationToken)
	if len(t) == 4 && t[0] == "delegation" {
		copy(d.tag[:], t)
	} else {
		return nil, fmt.Errorf("not a delegation tag")
	}
	if n, e := hex.Decode(d.delegator[:], []byte(d.tag[1])); n != 32 || e != nil {
		return nil, fmt.Errorf("invalid delegation tag")
	}
	if n, e := hex.Decode(d.token[:], []byte(d.tag[3])); n != 64 || e != nil {
		return nil, fmt.Errorf("invalid delegation tag")
	}
	if d.kinds, d.since, d.until, e = parseConditions(d.tag[2]); e != nil {
		return nil, fmt.Errorf("invalid conditions string")
	}

	// compute the digest
	h := sha256.Sum256([]byte(fmt.Sprintf("nostr:delegation:%s:%s", delegatee_pk, d.tag[2])))

	sig, err := schnorr.ParseSignature(d.token[:])
	if err != nil {
		return nil, fmt.Errorf("Error: %s", err.Error())
	}

	pubkey, err := schnorr.ParsePubKey(d.delegator[:])
	if err != nil {
		return nil, fmt.Errorf("Error: %s", err.Error())
	}
	if !sig.Verify(h[:], pubkey) {
		return nil, VerificationFailed
	}
	return d, nil
}

// Parse reads the event ev and stores the delegation token into d.
// The ok value verifies the event is correctly delegated.
// If there is no delegation token, then d will not be changed. In this case the error value will be `NoDelegationTag`, and ok will be set to true.
// Parse does NOT verify the event was correctly signed. Use ev.CheckSignature() for this.
// More efficient memory allocations versus CheckDelegation(ev) if many events need to be checked.
func (d *DelegationToken) Parse(ev *nostr.Event) (ok bool, err error) {
	for _, t := range ev.Tags {
		if t[0] == "delegation" && len(t) == 4 {
			copy(d.tag[:], t)
			goto jump1
		}
	}
	// event has no delegation. set the token to nil and return.
	return true, NoDelegationTag

jump1:
	if n, e := hex.Decode(d.delegator[:], []byte(d.tag[1])); n != 32 || e != nil {
		return false, fmt.Errorf("invalid delegation tag")
	}
	if n, e := hex.Decode(d.token[:], []byte(d.tag[3])); n != 64 || e != nil {
		return false, fmt.Errorf("invalid delegation tag")
	}

	if d.kinds, d.since, d.until, err = parseConditions(d.tag[2]); err != nil {
		return false, fmt.Errorf("invalid conditions string")
	}

	if len(d.kinds) > 0 {
		for _, k := range d.kinds {
			if ev.Kind == k {
				goto jump2
			}
		}
		return false, fmt.Errorf("Event kind %d is not allowed in delegation conditions.", ev.Kind)
	}

jump2:
	if d.since != nil && ev.CreatedAt.Before(*d.since) {
		return false, fmt.Errorf("Event is created before delegation conditions allow.")
	}
	if d.until != nil && ev.CreatedAt.After(*d.until) {
		return false, fmt.Errorf("Event is created after delegation conditions allow.")
	}

	// compute the digest
	h := sha256.Sum256([]byte(fmt.Sprintf("nostr:delegation:%s:%s", ev.PubKey, d.tag[2])))

	sig, err := schnorr.ParseSignature(d.token[:])
	if err != nil {
		return false, fmt.Errorf("Error: %s", err.Error())
	}

	pubkey, err := schnorr.ParsePubKey(d.delegator[:])
	if err != nil {
		return false, fmt.Errorf("Error: %s", err.Error())
	}

	return sig.Verify(h[:], pubkey), nil
}

// DelegatedSign performs a delegated signature on the event ev.
// The delegation signature is not verified. If desired, the caller can ensure the delegation signature is correct by calling d.Parse(ev) or CheckDelegation(ev) afterwards.
func DelegatedSign(ev *nostr.Event, d *DelegationToken, delegatee_sk string) error {
	for _, t := range ev.Tags {
		if t[0] == "delegation" {
			return fmt.Errorf("event already has delegation token")
		}
	}
	if d.since != nil && ev.CreatedAt.Before(*d.since) || d.until != nil && ev.CreatedAt.After(*d.until) {
		return fmt.Errorf("event created_at field is not compatible with delegation token time conditions.")
	}
	if len(d.kinds) > 0 {
		for _, k := range d.kinds {
			if ev.Kind == k {
				goto jump
			}
		}
		return fmt.Errorf("event kind %d is not compatible with delegation token conditions.", ev.Kind)
	}
jump:
	if pk, e := nostr.GetPublicKey(delegatee_sk); e != nil {
		return fmt.Errorf("invalid delegatee secret key.")
	} else {
		ev.PubKey = pk
	}
	ev.Tags = append(ev.Tags, d.Tag())
	return ev.Sign(delegatee_sk)
}

// CreateToken creates a DelegationToken according to NIP-26.
func CreateToken(delegator_sk string, delegatee_pk string, kinds []int, since *time.Time, until *time.Time) (d *DelegationToken, e error) {
	d = new(DelegationToken)
	s, e := hex.DecodeString(delegator_sk)
	if e != nil {
		return nil, fmt.Errorf("invalid delegator secret key")
	}

	tee_pk, e := hex.DecodeString(delegatee_pk)
	if len(tee_pk) != 32 || e != nil {
		return nil, fmt.Errorf("invalid delegatee pubkey")
	}

	// set delegator
	sk, tor_pk := btcec.PrivKeyFromBytes(s)
	copy(d.delegator[:], schnorr.SerializePubKey(tor_pk))

	d.kinds = kinds
	d.since = since
	d.until = until

	// generate tag
	d.tag[0] = "delegation"
	d.tag[1] = fmt.Sprintf("%x", d.delegator)
	d.tag[2] = d.Conditions()

	h := sha256.Sum256([]byte(fmt.Sprintf("nostr:delegation:%x:%s", tee_pk, d.tag[2])))

	if sig, err := schnorr.Sign(sk, h[:]); err != nil {
		panic(err)
	} else {
		copy(d.token[:], sig.Serialize())
	}

	d.tag[3] = fmt.Sprintf("%x", d.token)

	return d, nil
}

func parseConditions(conditions string) (kinds []int, since *time.Time, until *time.Time, err error) {
	kinds = make([]int, 0)
	for _, v := range strings.Split(conditions, "&") {
		switch {
		case strings.HasPrefix(v, "kind="):
			if i, e := strconv.ParseInt(strings.TrimPrefix(v, "kind="), 10, 64); e == nil {
				kinds = append(kinds, int(i))
			} else {
				return nil, nil, nil, fmt.Errorf("Invalid: %s!", v)
			}
		case strings.HasPrefix(v, "created_at>") && since == nil:
			if i, e := strconv.ParseInt(strings.TrimPrefix(v, "created_at>"), 10, 64); e == nil {
				t := time.Unix(i, 0)
				since = &t
			} else {
				return nil, nil, nil, fmt.Errorf("Invalid: %s", v)
			}
		case strings.HasPrefix(v, "created_at<") && until == nil:
			if i, e := strconv.ParseInt(strings.TrimPrefix(v, "created_at<"), 10, 64); e == nil {
				t := time.Unix(i, 0)
				until = &t
			} else {
				return nil, nil, nil, fmt.Errorf("Invalid: %s", v)
			}
		default:
			return nil, nil, nil, fmt.Errorf("Invalid: %s", v)
		}
	}
	return
}