import express from 'express'; import crypto from 'crypto'; import jwt from 'jsonwebtoken'; import { nip19, getEventHash, verifyEvent, SimplePool } from 'nostr-tools'; const app = express(); const PORT = 3001; // In-memory storage for demo purposes const users = new Map(); const authCodes = new Map(); const sessions = new Map(); // JWT signing key (in production, use a proper key) const JWT_SECRET = 'your-super-secret-jwt-signing-key-change-in-production'; const ISSUER = 'https://auth.laantungir.net'; // Production HTTPS URL const CLIENT_ID = 'GITEA'; const CLIENT_SECRET = 'gitea-secret'; // Nostr relays for fetching user metadata const NOSTR_RELAYS = [ 'wss://relay.laantungir.net', 'wss://relay.damus.io', 'wss://nos.lol', 'wss://relay.nostr.band', 'wss://nostr-pub.wellorder.net' ]; // Initialize Nostr pool const pool = new SimplePool(); // NIP-05 related functions async function fetchUserMetadata(pubkey) { try { console.log('🔍 Fetching metadata for pubkey:', pubkey); const filter = { kinds: [0], authors: [pubkey], limit: 1 }; const events = await pool.querySync(NOSTR_RELAYS, filter); if (events.length > 0) { const metadata = JSON.parse(events[0].content); console.log('✅ Found metadata:', metadata); return metadata; } console.log('❌ No metadata found'); return null; } catch (error) { console.error('❌ Error fetching metadata:', error); return null; } } async function validateNip05(nip05, pubkey) { try { console.log('🔍 Validating NIP-05:', nip05); // Parse the NIP-05 identifier let localPart, domain; if (nip05.includes('@')) { [localPart, domain] = nip05.split('@'); } else { // Handle _@domain.com format (root identifier) localPart = '_'; domain = nip05; } // Fetch the well-known endpoint const url = `https://${domain}/.well-known/nostr.json?name=${localPart}`; console.log('🔍 Fetching well-known:', url); const response = await fetch(url, { timeout: 5000, headers: { 'User-Agent': 'Nostr-OIDC-Bridge/1.0' } }); if (!response.ok) { console.log('❌ Well-known fetch failed:', response.status); return false; } const data = await response.json(); console.log('✅ Well-known response:', data); // Check if the pubkey matches const expectedPubkey = data.names?.[localPart]; const isValid = expectedPubkey === pubkey; console.log(`${isValid ? '✅' : '❌'} NIP-05 validation:`, { expected: expectedPubkey, actual: pubkey, valid: isValid }); return isValid; } catch (error) { console.error('❌ Error validating NIP-05:', error); return false; } } function generateUsernameAndEmail(nip05, npub, pubkey) { let username, email; if (nip05) { if (nip05.includes('@')) { // For user@domain.com format, use local part as username const [local, domain] = nip05.split('@'); // Use local part as username (truncate if needed) username = local.length <= 40 ? local : local.substring(0, 40); // Use full NIP-05 as email email = nip05; } else { // For root identifier (domain.com), use domain as username username = nip05.length <= 40 ? nip05 : nip05.substring(0, 40); email = `_@${nip05}`; // Convert to standard email format } } else { // Fallback to shortened npub username = npub.length <= 40 ? npub.substring(0, 40) : npub.substring(0, 40); email = `${pubkey.substring(0, 8)}@nostr.local`; } return { username, email }; } // Trust proxy for production deployment behind nginx app.set('trust proxy', true); // Middleware app.use(express.urlencoded({ extended: true })); app.use(express.json()); app.set('view engine', 'ejs'); app.set('views', './views'); // Debug logging middleware app.use((req, res, next) => { console.log(`${new Date().toISOString()} - ${req.method} ${req.url}`); if (req.query && Object.keys(req.query).length > 0) { console.log('Query params:', req.query); } next(); }); // OIDC Discovery endpoint - manually controlled for production app.get('/.well-known/openid-configuration', (req, res) => { res.json({ issuer: ISSUER, authorization_endpoint: `${ISSUER}/auth`, token_endpoint: `${ISSUER}/token`, userinfo_endpoint: `${ISSUER}/userinfo`, jwks_uri: `${ISSUER}/jwks`, scopes_supported: ['openid', 'profile', 'email'], response_types_supported: ['code'], grant_types_supported: ['authorization_code'], subject_types_supported: ['public'], id_token_signing_alg_values_supported: ['HS256'], claims_supported: ['sub', 'name', 'preferred_username', 'email'], }); }); // Authorization endpoint app.get('/auth', (req, res) => { const { client_id, redirect_uri, response_type, scope, state } = req.query; console.log('🔵 Authorization request:', { client_id, redirect_uri, response_type, scope, state }); // Validate client if (client_id !== CLIENT_ID) { const errorUrl = `${redirect_uri}?error=invalid_client&state=${state}`; console.log('❌ Invalid client, redirecting to:', errorUrl); return res.redirect(errorUrl); } // Generate session const sessionId = crypto.randomBytes(32).toString('hex'); const challenge = crypto.randomBytes(32).toString('hex'); sessions.set(sessionId, { client_id, redirect_uri, scope, state, challenge, created_at: Date.now() }); console.log('✅ Created session:', sessionId); // Render login page res.render('login', { challenge, uid: sessionId, returnTo: `/complete-auth/${sessionId}` }); }); // Handle Nostr authentication app.post('/complete-auth/:sessionId', async (req, res) => { try { const { sessionId } = req.params; const { npub, event_json } = req.body; console.log('🐛 DEBUG - Received data:', { sessionId, npub: npub ? `"${npub}" (length: ${npub.length})` : 'undefined', event_json: event_json ? `${event_json.substring(0, 100)}... (length: ${event_json.length})` : 'undefined', allKeys: Object.keys(req.body) }); const session = sessions.get(sessionId); if (!session) { throw new Error('Session not found or expired'); } // Verify the Nostr event const event = JSON.parse(event_json); if (!verifyEvent(event)) { throw new Error('Invalid signature'); } if (event.content !== session.challenge) { throw new Error('Challenge mismatch'); } // Handle both npub format and raw hex pubkey let pubkey; try { if (npub.startsWith('npub')) { const decoded = nip19.decode(npub); pubkey = decoded.data; } else { // Assume it's raw hex pubkey pubkey = npub; } } catch (error) { throw new Error('Invalid public key format'); } if (event.pubkey !== pubkey) { throw new Error('Public key mismatch'); } console.log('✅ Nostr authentication successful for:', pubkey); // Create or get user let user = users.get(pubkey); if (!user) { // Try to fetch NIP-05 information let nip05 = null; let validatedNip05 = false; try { console.log('🔍 Attempting to fetch NIP-05 for user...'); const metadata = await fetchUserMetadata(pubkey); if (metadata && metadata.nip05) { console.log('🔍 Found NIP-05 in metadata:', metadata.nip05); validatedNip05 = await validateNip05(metadata.nip05, pubkey); if (validatedNip05) { nip05 = metadata.nip05; console.log('✅ NIP-05 validated successfully:', nip05); } else { console.log('❌ NIP-05 validation failed'); } } else { console.log('❌ No NIP-05 found in metadata'); } } catch (error) { console.error('❌ Error during NIP-05 lookup:', error); } // Generate the best username and email const { username, email } = generateUsernameAndEmail(validatedNip05 ? nip05 : null, npub, pubkey); user = { id: pubkey, name: nip05 && validatedNip05 ? nip05 : npub, username: username, email: email, nip05: validatedNip05 ? nip05 : null, }; users.set(pubkey, user); console.log('✅ Created new user:', user); } // Generate authorization code const authCode = crypto.randomBytes(32).toString('hex'); authCodes.set(authCode, { user_id: pubkey, client_id: session.client_id, redirect_uri: session.redirect_uri, scope: session.scope, created_at: Date.now(), expires_at: Date.now() + (10 * 60 * 1000) // 10 minutes }); console.log('✅ Generated auth code:', authCode); // Clean up session sessions.delete(sessionId); // Redirect back to Gitea with auth code const redirectUrl = `${session.redirect_uri}?code=${authCode}&state=${session.state}`; console.log('✅ Redirecting to Gitea:', redirectUrl); res.redirect(redirectUrl); } catch (error) { console.error('❌ Authentication error:', error); const session = sessions.get(req.params.sessionId); const challenge = session ? session.challenge : crypto.randomBytes(32).toString('hex'); res.render('login', { error: error.message, challenge, uid: req.params.sessionId, returnTo: `/complete-auth/${req.params.sessionId}` }); } }); // Token endpoint app.post('/token', (req, res) => { try { const { grant_type, code, client_id, client_secret, redirect_uri } = req.body; console.log('🔵 Token request:', { grant_type, code, client_id, redirect_uri }); // Validate grant type if (grant_type !== 'authorization_code') { return res.status(400).json({ error: 'unsupported_grant_type' }); } // Validate client if (client_id !== CLIENT_ID || client_secret !== CLIENT_SECRET) { return res.status(401).json({ error: 'invalid_client' }); } // Get auth code const authData = authCodes.get(code); if (!authData) { return res.status(400).json({ error: 'invalid_grant' }); } // Check expiration if (Date.now() > authData.expires_at) { authCodes.delete(code); return res.status(400).json({ error: 'invalid_grant' }); } // Validate redirect URI if (authData.redirect_uri !== redirect_uri) { return res.status(400).json({ error: 'invalid_grant' }); } const user = users.get(authData.user_id); if (!user) { return res.status(400).json({ error: 'invalid_grant' }); } // Generate tokens const now = Math.floor(Date.now() / 1000); const accessToken = jwt.sign({ sub: user.id, aud: client_id, iss: ISSUER, iat: now, exp: now + 3600, // 1 hour scope: authData.scope }, JWT_SECRET); const idToken = jwt.sign({ sub: user.id, aud: client_id, iss: ISSUER, iat: now, exp: now + 3600, name: user.name, preferred_username: user.username, email: user.email, }, JWT_SECRET); // Clean up auth code (one-time use) authCodes.delete(code); console.log('✅ Issued tokens for user:', user.id); res.json({ access_token: accessToken, token_type: 'Bearer', expires_in: 3600, id_token: idToken, scope: authData.scope }); } catch (error) { console.error('❌ Token error:', error); res.status(500).json({ error: 'server_error' }); } }); // Userinfo endpoint function const handleUserInfo = (req, res) => { try { const authHeader = req.headers.authorization; if (!authHeader || !authHeader.startsWith('Bearer ')) { return res.status(401).json({ error: 'invalid_token' }); } const token = authHeader.substring(7); const decoded = jwt.verify(token, JWT_SECRET); const user = users.get(decoded.sub); if (!user) { return res.status(401).json({ error: 'invalid_token' }); } console.log('✅ UserInfo request for user:', user.id); res.json({ sub: user.id, name: user.name, preferred_username: user.username, email: user.email, }); } catch (error) { console.error('❌ Userinfo error:', error); res.status(401).json({ error: 'invalid_token' }); } }; // Userinfo endpoints (both /userinfo and /me for compatibility) app.get('/userinfo', handleUserInfo); app.get('/me', handleUserInfo); // JWKS endpoint (simplified) app.get('/jwks', (req, res) => { // This is a simplified implementation // In production, use proper JWK format res.json({ keys: [] }); }); // Health check app.get('/health', (req, res) => { res.json({ status: 'ok', timestamp: new Date().toISOString() }); }); // Error handler app.use((err, req, res, next) => { console.error('❌ Express Error:', err); if (res.headersSent) { return next(err); } res.status(500).json({ error: 'Internal server error', message: err.message }); }); // Start server app.listen(PORT, '0.0.0.0', () => { console.log(`🚀 Simple Nostr OIDC Bridge running on http://0.0.0.0:${PORT}`); console.log(`🔗 OIDC Discovery: ${ISSUER}/.well-known/openid-configuration`); });