tag v1.1.1

fix readme signing example.
fixes https://github.com/nbd-wtf/nostr-tools/issues/78
2025-12-09 00:28:51 +00:00 · 2023-01-04 10:16:15 -03:00 · 2023-01-04 10:15:16 -03:00 · 2023-01-03 16:20:42 -03:00 · 2022-12-29 18:26:28 -03:00 · 2022-12-28 09:18:09 -03:00
7 changed files with 37 additions and 34 deletions
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 Tools for developing [Nostr](https://github.com/fiatjaf/nostr) clients.

-Very lean on dependencies.
+Only depends on _@scure_ and _@noble_ packages.

 ## Usage

@@ -30,11 +30,11 @@ let event = {
  kind: 1,
  created_at: Math.floor(Date.now() / 1000),
  tags: [],
-  content: 'hello'
+  content: 'hello',
+  pubkey: getPublicKey(privateKey)
 }

 event.id = getEventHash(event)
-event.pubkey = getPublicKey(privateKey)
 event.sig = signEvent(event, privateKey)

 let ok = validateEvent(event)
@@ -102,13 +102,13 @@ event.sig = signEvent(event, sk)

 let pub = relay.publish(event)
 pub.on('ok', () => {
-  console.log(`{relay.url} has accepted our event`)
+  console.log(`${relay.url} has accepted our event`)
 })
 pub.on('seen', () => {
-  console.log(`we saw the event on {relay.url}`)
+  console.log(`we saw the event on ${relay.url}`)
 })
 pub.on('failed', reason => {
-  console.log(`failed to publish to {relay.url}: ${reason}`)
+  console.log(`failed to publish to ${relay.url}: ${reason}`)
 })

 await relay.close()
--- a/event.test.js
+++ b/event.test.js
@@ -4,7 +4,6 @@ const {
  validateEvent,
  verifySignature,
  signEvent,
-  getEventHash,
  getPublicKey
 } = require('./lib/nostr.cjs')

@@ -35,15 +34,15 @@ test('validate event', () => {
 })

 test('check signature', async () => {
-  expect(await verifySignature(event)).toBeTruthy()
+  expect(verifySignature(event)).toBeTruthy()
 })

 test('sign event', async () => {
-  let sig = await signEvent(unsigned, privateKey)
-  let hash = getEventHash(unsigned)
  let pubkey = getPublicKey(privateKey)
+  let authored = {...unsigned, pubkey}

-  let signed = {...unsigned, id: hash, sig, pubkey}
+  let sig = signEvent(authored, privateKey)
+  let signed = {...authored, sig}

-  expect(await verifySignature(signed)).toBeTruthy()
+  expect(verifySignature(signed)).toBeTruthy()
 })
--- a/event.ts
+++ b/event.ts
@@ -3,7 +3,6 @@ import {sha256} from '@noble/hashes/sha256'

 import {utf8Encoder} from './utils'

-
 /* eslint-disable no-unused-vars */
 export enum Kind {
  Metadata = 0,
@@ -17,7 +16,7 @@ export enum Kind {
  ChannelMetadata = 41,
  ChannelMessage = 42,
  ChannelHideMessage = 43,
-  ChannelMuteUser = 44,
+  ChannelMuteUser = 44
 }

 export type Event = {
@@ -41,6 +40,9 @@ export function getBlankEvent(): Event {
 }

 export function serializeEvent(evt: Event): string {
+  if (!validateEvent(evt))
+    throw new Error("can't serialize event with wrong or missing properties")
+
  return JSON.stringify([
    0,
    evt.pubkey,
@@ -57,9 +59,10 @@ export function getEventHash(event: Event): string {
 }

 export function validateEvent(event: Event): boolean {
-  if (event.id !== getEventHash(event)) return false
  if (typeof event.content !== 'string') return false
  if (typeof event.created_at !== 'number') return false
+  if (typeof event.pubkey !== 'string') return false
+  if (!event.pubkey.match(/^[a-f0-9]{64}$/)) return false

  if (!Array.isArray(event.tags)) return false
  for (let i = 0; i < event.tags.length; i++) {
@@ -73,10 +76,12 @@ export function validateEvent(event: Event): boolean {
  return true
 }

-export function verifySignature(
-  event: Event & {id: string; sig: string}
-): boolean {
-  return secp256k1.schnorr.verifySync(event.sig, event.id, event.pubkey)
+export function verifySignature(event: Event & {sig: string}): boolean {
+  return secp256k1.schnorr.verifySync(
+    event.sig,
+    getEventHash(event),
+    event.pubkey
+  )
 }

 export function signEvent(event: Event, key: string): string {
--- a/nip04.ts
+++ b/nip04.ts
@@ -1,6 +1,6 @@
 import {randomBytes} from '@noble/hashes/utils'
 import * as secp256k1 from '@noble/secp256k1'
-import {encode as b64encode, decode as b64decode} from 'base64-arraybuffer'
+import {base64} from '@scure/base'

 import {utf8Decoder, utf8Encoder} from './utils'

@@ -26,8 +26,8 @@ export async function encrypt(
    cryptoKey,
    plaintext
  )
-  let ctb64 = b64encode(ciphertext)
-  let ivb64 = b64encode(iv.buffer)
+  let ctb64 = base64.encode(new Uint8Array(ciphertext))
+  let ivb64 = base64.encode(new Uint8Array(iv.buffer))

  return `${ctb64}?iv=${ivb64}`
 }
@@ -48,8 +48,8 @@ export async function decrypt(
    false,
    ['decrypt']
  )
-  let ciphertext = b64decode(ctb64)
-  let iv = b64decode(ivb64)
+  let ciphertext = base64.decode(ctb64)
+  let iv = base64.decode(ivb64)

  let plaintext = await crypto.subtle.decrypt(
    {name: 'AES-CBC', iv},
--- a/nip19.ts
+++ b/nip19.ts
@@ -1,5 +1,5 @@
 import * as secp256k1 from '@noble/secp256k1'
-import {bech32} from 'bech32'
+import {bech32} from '@scure/base'

 import {utf8Decoder, utf8Encoder} from './utils'

@@ -17,7 +17,7 @@ export function decode(nip19: string): {
  type: string
  data: ProfilePointer | EventPointer | string
 } {
-  let {prefix, words} = bech32.decode(nip19, 1000)
+  let {prefix, words} = bech32.decode(nip19, 1500)
  let data = new Uint8Array(bech32.fromWords(words))

  if (prefix === 'nprofile') {
@@ -87,7 +87,7 @@ export function noteEncode(hex: string): string {
 function encodeBytes(prefix: string, hex: string): string {
  let data = secp256k1.utils.hexToBytes(hex)
  let words = bech32.toWords(data)
-  return bech32.encode(prefix, words, 1000)
+  return bech32.encode(prefix, words, 1500)
 }

 export function nprofileEncode(profile: ProfilePointer): string {
@@ -96,7 +96,7 @@ export function nprofileEncode(profile: ProfilePointer): string {
    1: (profile.relays || []).map(url => utf8Encoder.encode(url))
  })
  let words = bech32.toWords(data)
-  return bech32.encode('nprofile', words, 1000)
+  return bech32.encode('nprofile', words, 1500)
 }

 export function neventEncode(event: EventPointer): string {
@@ -105,7 +105,7 @@ export function neventEncode(event: EventPointer): string {
    1: (event.relays || []).map(url => utf8Encoder.encode(url))
  })
  let words = bech32.toWords(data)
-  return bech32.encode('nevent', words, 1000)
+  return bech32.encode('nevent', words, 1500)
 }

 function encodeTLV(tlv: TLV): Uint8Array {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "nostr-tools",
-  "version": "1.0.1",
+  "version": "1.1.1",
  "description": "Tools for making a Nostr client.",
  "repository": {
    "type": "git",
@@ -11,10 +11,9 @@
  "dependencies": {
    "@noble/hashes": "^0.5.7",
    "@noble/secp256k1": "^1.7.0",
+    "@scure/base": "^1.1.1",
    "@scure/bip32": "^1.1.1",
-    "@scure/bip39": "^1.1.0",
-    "base64-arraybuffer": "^1.0.2",
-    "bech32": "^2.0.0"
+    "@scure/bip39": "^1.1.0"
  },
  "keywords": [
    "decentralization",
--- a/relay.test.js
+++ b/relay.test.js
@@ -98,7 +98,7 @@ test('listening (twice) and publishing', async () => {
    content: 'nostr-tools test suite'
  }
  event.id = getEventHash(event)
-  event.sig = await signEvent(event, sk)
+  event.sig = signEvent(event, sk)

  relay.publish(event)
  return expect(
Author	SHA1	Message	Date
fiatjaf	901445dea1	tag v1.1.1	2023-01-04 10:16:15 -03:00
fiatjaf	91b67cd0d5	fix readme signing example. fixes https://github.com/nbd-wtf/nostr-tools/issues/78	2023-01-04 10:15:16 -03:00
bayernator	1e696e0f3b	increase nprofile, encodeBytes, nprofileEncode string length parameter to 1500	2023-01-03 16:20:42 -03:00
fiatjaf	4b36848b2d	fix signing functions to be more strict and correct.	2022-12-29 18:26:28 -03:00
pseudozach	3cb351a5f4	fix typo	2022-12-28 09:18:09 -03:00
François-Xavier Thoorens	5db1934fa4	fixed security issue around event verification the use of id has been removed and the hash is computed instead	2022-12-27 16:46:36 -03:00
fiatjaf	50c3f24b25	replace two packages with a @scure dependency that already existed.	2022-12-27 11:35:21 -03:00