chore: switch to encryption tag from versioning (#1093)

* chore: switch to encryption tag from versioning

* chore: also support versioning

* chore: check version tag first

* Chore: nwc encryption feedback (#1137)

* chore: code cleanup, and responses for invalid encryption tag / unable to decrypt

* chore: add constants for encryption types

* chore: update test to cover when encryption tag is passed with no version

* chore: explain why we respond using nip-44 encryption if decryption fails

---------

Co-authored-by: Roland Bewick <roland.bewick@gmail.com>
Co-authored-by: Roland <33993199+rolznz@users.noreply.github.com>

Author: im-adithya

constants/constants.go

@@ -49,15 +49,20 @@ const INVOICE_METADATA_MAX_LENGTH = 4096
 
 // errors used by NIP-47 and the transaction service
 const (
-	ERROR_INTERNAL             = "INTERNAL"
-	ERROR_NOT_IMPLEMENTED      = "NOT_IMPLEMENTED"
-	ERROR_QUOTA_EXCEEDED       = "QUOTA_EXCEEDED"
-	ERROR_INSUFFICIENT_BALANCE = "INSUFFICIENT_BALANCE"
-	ERROR_UNAUTHORIZED         = "UNAUTHORIZED"
-	ERROR_EXPIRED              = "EXPIRED"
-	ERROR_RESTRICTED           = "RESTRICTED"
-	ERROR_BAD_REQUEST          = "BAD_REQUEST"
-	ERROR_NOT_FOUND            = "NOT_FOUND"
-	ERROR_UNSUPPORTED_VERSION  = "UNSUPPORTED_VERSION"
-	ERROR_OTHER                = "OTHER"
+	ERROR_INTERNAL               = "INTERNAL"
+	ERROR_NOT_IMPLEMENTED        = "NOT_IMPLEMENTED"
+	ERROR_QUOTA_EXCEEDED         = "QUOTA_EXCEEDED"
+	ERROR_INSUFFICIENT_BALANCE   = "INSUFFICIENT_BALANCE"
+	ERROR_UNAUTHORIZED           = "UNAUTHORIZED"
+	ERROR_EXPIRED                = "EXPIRED"
+	ERROR_RESTRICTED             = "RESTRICTED"
+	ERROR_BAD_REQUEST            = "BAD_REQUEST"
+	ERROR_NOT_FOUND              = "NOT_FOUND"
+	ERROR_UNSUPPORTED_ENCRYPTION = "UNSUPPORTED_ENCRYPTION"
+	ERROR_OTHER                  = "OTHER"
+)
+
+const (
+	ENCRYPTION_TYPE_NIP04    = "nip04"
+	ENCRYPTION_TYPE_NIP44_V2 = "nip44_v2"
 )

nip47/cipher/cipher.go

@@ -3,31 +3,33 @@ package cipher
 import (
 	"fmt"
 
+	"github.com/getAlby/hub/constants"
 	"github.com/nbd-wtf/go-nostr/nip04"
 	"github.com/nbd-wtf/go-nostr/nip44"
 )
 
 const (
-	SUPPORTED_VERSIONS = "1.0 0.0"
+	SUPPORTED_VERSIONS    = "0.0 1.0"
+	SUPPORTED_ENCRYPTIONS = "nip44_v2 nip04"
 )
 
 type Nip47Cipher struct {
-	version         string
+	encryption      string
 	pubkey          string
 	privkey         string
 	sharedSecret    []byte
 	conversationKey [32]byte
 }
 
-func NewNip47Cipher(version, pubkey, privkey string) (*Nip47Cipher, error) {
-	_, err := isVersionSupported(version)
+func NewNip47Cipher(encryption, pubkey, privkey string) (*Nip47Cipher, error) {
+	_, err := isEncryptionSupported(encryption)
 	if err != nil {
 		return nil, err
 	}
 
 	var ss []byte
 	var ck [32]byte
-	if version == "0.0" {
+	if encryption == constants.ENCRYPTION_TYPE_NIP04 {
 		ss, err = nip04.ComputeSharedSecret(pubkey, privkey)
 		if err != nil {
 			return nil, err
@@ -40,7 +42,7 @@ func NewNip47Cipher(version, pubkey, privkey string) (*Nip47Cipher, error) {
 	}
 
 	return &Nip47Cipher{
-		version:         version,
+		encryption:      encryption,
 		pubkey:          pubkey,
 		privkey:         privkey,
 		sharedSecret:    ss,
@@ -49,7 +51,7 @@ func NewNip47Cipher(version, pubkey, privkey string) (*Nip47Cipher, error) {
 }
 
 func (c *Nip47Cipher) Encrypt(message string) (msg string, err error) {
-	if c.version == "0.0" {
+	if c.encryption == constants.ENCRYPTION_TYPE_NIP04 {
 		msg, err = nip04.Encrypt(message, c.sharedSecret)
 		if err != nil {
 			return "", err
@@ -64,7 +66,7 @@ func (c *Nip47Cipher) Encrypt(message string) (msg string, err error) {
 }
 
 func (c *Nip47Cipher) Decrypt(content string) (payload string, err error) {
-	if c.version == "0.0" {
+	if c.encryption == constants.ENCRYPTION_TYPE_NIP04 {
 		payload, err = nip04.Decrypt(content, c.sharedSecret)
 		if err != nil {
 			return "", err
@@ -78,10 +80,10 @@ func (c *Nip47Cipher) Decrypt(content string) (payload string, err error) {
 	return payload, nil
 }
 
-func isVersionSupported(version string) (bool, error) {
-	if version == "1.0" || version == "0.0" {
+func isEncryptionSupported(encryption string) (bool, error) {
+	if encryption == constants.ENCRYPTION_TYPE_NIP44_V2 || encryption == constants.ENCRYPTION_TYPE_NIP04 {
 		return true, nil
 	}
 
-	return false, fmt.Errorf("invalid version: %s", version)
+	return false, fmt.Errorf("invalid encryption: %s", encryption)
 }

nip47/cipher/cipher_test.go

@@ -4,21 +4,22 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/getAlby/hub/constants"
 	"github.com/nbd-wtf/go-nostr"
 
 	"github.com/stretchr/testify/assert"
 )
 
 func TestCipher(t *testing.T) {
-	doTestCipher(t, "0.0")
-	doTestCipher(t, "1.0")
+	doTestCipher(t, constants.ENCRYPTION_TYPE_NIP04)
+	doTestCipher(t, constants.ENCRYPTION_TYPE_NIP44_V2)
 }
 
-func doTestCipher(t *testing.T, version string) {
+func doTestCipher(t *testing.T, encryption string) {
 	reqPrivateKey := nostr.GeneratePrivateKey()
 	reqPubkey, err := nostr.GetPublicKey(reqPrivateKey)
 
-	nip47Cipher, err := NewNip47Cipher(version, reqPubkey, reqPrivateKey)
+	nip47Cipher, err := NewNip47Cipher(encryption, reqPubkey, reqPrivateKey)
 	assert.NoError(t, err)
 
 	payload := "test payload"
@@ -29,19 +30,19 @@ func doTestCipher(t *testing.T, version string) {
 	assert.Equal(t, payload, decrypted)
 }
 
-func TestCipher_UnsupportedVersions(t *testing.T) {
-	doTestCipher_UnsupportedVersions(t, "1")
-	doTestCipher_UnsupportedVersions(t, "x.1")
-	doTestCipher_UnsupportedVersions(t, "1.x")
-	doTestCipher_UnsupportedVersions(t, "2.0")
-	doTestCipher_UnsupportedVersions(t, "0.5")
+func TestCipher_UnsupportedEncrptions(t *testing.T) {
+	doTestCipher_UnsupportedEncrptions(t, "nip44")
+	doTestCipher_UnsupportedEncrptions(t, "nip44_v0")
+	doTestCipher_UnsupportedEncrptions(t, "nip44_v1")
+	doTestCipher_UnsupportedEncrptions(t, "nip44v2")
+	doTestCipher_UnsupportedEncrptions(t, "nip-44")
 }
 
-func doTestCipher_UnsupportedVersions(t *testing.T, version string) {
+func doTestCipher_UnsupportedEncrptions(t *testing.T, encryption string) {
 	reqPrivateKey := nostr.GeneratePrivateKey()
 	reqPubkey, err := nostr.GetPublicKey(reqPrivateKey)
 
-	_, err = NewNip47Cipher(version, reqPubkey, reqPrivateKey)
+	_, err = NewNip47Cipher(encryption, reqPubkey, reqPrivateKey)
 	assert.Error(t, err)
-	assert.Equal(t, fmt.Sprintf("invalid version: %s", version), err.Error())
+	assert.Equal(t, fmt.Sprintf("invalid encryption: %s", encryption), err.Error())
 }

nip47/event_handler.go

@@ -93,20 +93,31 @@ func (svc *nip47Service) HandleEvent(ctx context.Context, relay nostrmodels.Rela
 		}
 	}
 
-	version := "0.0"
-	vTag := event.Tags.GetFirst([]string{"v"})
+	encryption := constants.ENCRYPTION_TYPE_NIP04
+	encryptionTag := event.Tags.GetFirst([]string{"encryption"})
+	if encryptionTag != nil {
+		encryption = encryptionTag.Value()
+	}
 
-	if vTag != nil && vTag.Value() != "" {
-		version = vTag.Value()
+	// TODO: Remove version tag after 01-06-2025
+	if encryptionTag == nil {
+		vTag := event.Tags.GetFirst([]string{"v"})
+		if vTag != nil && vTag.Value() != "" {
+			version := vTag.Value()
+			if version == "1.0" {
+				encryption = constants.ENCRYPTION_TYPE_NIP44_V2
+			}
+		}
 	}
 
-	nip47Cipher, err := cipher.NewNip47Cipher(version, app.AppPubkey, appWalletPrivKey)
+	nip47Cipher, err := cipher.NewNip47Cipher(encryption, app.AppPubkey, appWalletPrivKey)
 	if err != nil {
+		cipherErr := err
 		logger.Logger.WithFields(logrus.Fields{
 			"requestEventNostrId": event.ID,
 			"eventKind":           event.Kind,
 			"appId":               app.ID,
-			"version":             version,
+			"encryption":          encryption,
 		}).WithError(err).Error("Failed to initialize cipher")
 
 		requestEvent.State = db.REQUEST_EVENT_STATE_HANDLER_ERROR
@@ -116,6 +127,37 @@ func (svc *nip47Service) HandleEvent(ctx context.Context, relay nostrmodels.Rela
 				"appPubkey": event.PubKey,
 			}).WithError(err).Error("Failed to save state to nostr event")
 		}
+
+		// whenever we are unable to handle the request encryption, we always respond with our preferred encryption
+		// re-create the cipher with NIP-44 to send an error response
+		nip47Cipher, err := cipher.NewNip47Cipher(constants.ENCRYPTION_TYPE_NIP44_V2, app.AppPubkey, appWalletPrivKey)
+
+		if err != nil {
+			logger.Logger.WithFields(logrus.Fields{
+				"requestEventNostrId": event.ID,
+				"eventKind":           event.Kind,
+				"appId":               app.ID,
+				"encryption":          encryption,
+			}).WithError(err).Error("Failed to initialize cipher")
+			return
+		}
+
+		nip47Response = &models.Response{
+			Error: &models.Error{
+				Code:    constants.ERROR_UNSUPPORTED_ENCRYPTION,
+				Message: cipherErr.Error(),
+			},
+		}
+
+		resp, err := svc.CreateResponse(event, nip47Response, nostr.Tags{}, nip47Cipher, appWalletPrivKey)
+		if err != nil {
+			logger.Logger.WithFields(logrus.Fields{
+				"requestEventNostrId": event.ID,
+				"eventKind":           event.Kind,
+			}).WithError(err).Error("Failed to process event")
+		}
+		svc.publishResponseEvent(ctx, relay, &requestEvent, resp, &app)
+
 		return
 	}
 
@@ -154,6 +196,7 @@ func (svc *nip47Service) HandleEvent(ctx context.Context, relay nostrmodels.Rela
 
 	payload, err := nip47Cipher.Decrypt(event.Content)
 	if err != nil {
+		decryptionErr := err
 		logger.Logger.WithFields(logrus.Fields{
 			"requestEventNostrId": event.ID,
 			"eventKind":           event.Kind,
@@ -168,6 +211,36 @@ func (svc *nip47Service) HandleEvent(ctx context.Context, relay nostrmodels.Rela
 			}).WithError(err).Error("Failed to save state to nostr event")
 		}
 
+		// whenever we are unable to handle the request encryption, we always respond with our preferred encryption
+		// re-create the cipher with NIP-44 to send an error response
+		nip47Cipher, err := cipher.NewNip47Cipher(constants.ENCRYPTION_TYPE_NIP44_V2, app.AppPubkey, appWalletPrivKey)
+
+		if err != nil {
+			logger.Logger.WithFields(logrus.Fields{
+				"requestEventNostrId": event.ID,
+				"eventKind":           event.Kind,
+				"appId":               app.ID,
+				"encryption":          encryption,
+			}).WithError(err).Error("Failed to initialize cipher")
+			return
+		}
+
+		nip47Response = &models.Response{
+			Error: &models.Error{
+				Code:    constants.ERROR_INTERNAL,
+				Message: fmt.Sprintf("failed to decrypt: %s", decryptionErr.Error()),
+			},
+		}
+
+		resp, err := svc.CreateResponse(event, nip47Response, nostr.Tags{}, nip47Cipher, appWalletPrivKey)
+		if err != nil {
+			logger.Logger.WithFields(logrus.Fields{
+				"requestEventNostrId": event.ID,
+				"eventKind":           event.Kind,
+			}).WithError(err).Error("Failed to process event")
+		}
+		svc.publishResponseEvent(ctx, relay, &requestEvent, resp, &app)
+
 		return
 	}
 	nip47Request := &models.Request{}

nip47/event_handler_shared_wallet_pubkey_test.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/getAlby/hub/constants"
 	"github.com/getAlby/hub/tests"
 )
 
@@ -13,77 +14,77 @@ func TestHandleResponse_SharedWalletPubkey_Nip04_WithPermission(t *testing.T) {
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_WithPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, "0.0")
+	doTestHandleResponse_WithPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP04)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip44_WithPermission(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_WithPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, "1.0")
+	doTestHandleResponse_WithPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP44_V2)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip04_DuplicateRequest(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_DuplicateRequest(t, svc, tests.CreateAppWithSharedWalletPubkey, "0.0")
+	doTestHandleResponse_DuplicateRequest(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP04)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip44_DuplicateRequest(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_DuplicateRequest(t, svc, tests.CreateAppWithSharedWalletPubkey, "1.0")
+	doTestHandleResponse_DuplicateRequest(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP44_V2)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip04_NoPermission(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_NoPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, "0.0")
+	doTestHandleResponse_NoPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP04)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip44_NoPermission(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_NoPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, "1.0")
+	doTestHandleResponse_NoPermission(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP44_V2)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip04_IncorrectPubkey(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_IncorrectPubkey(t, svc, tests.CreateAppWithSharedWalletPubkey, "0.0")
+	doTestHandleResponse_IncorrectPubkey(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP04)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip44_IncorrectPubkey(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_IncorrectPubkey(t, svc, tests.CreateAppWithSharedWalletPubkey, "1.0")
+	doTestHandleResponse_IncorrectPubkey(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP44_V2)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip04_OldRequestForPayment(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_OldRequestForPayment(t, svc, tests.CreateAppWithSharedWalletPubkey, "0.0")
+	doTestHandleResponse_OldRequestForPayment(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP04)
 }
 
 func TestHandleResponse_SharedWalletPubkey_Nip44_OldRequestForPayment(t *testing.T) {
 	svc, err := tests.CreateTestService(t)
 	require.NoError(t, err)
 	defer svc.Remove()
 
-	doTestHandleResponse_OldRequestForPayment(t, svc, tests.CreateAppWithSharedWalletPubkey, "1.0")
+	doTestHandleResponse_OldRequestForPayment(t, svc, tests.CreateAppWithSharedWalletPubkey, constants.ENCRYPTION_TYPE_NIP44_V2)
 }