feat: make private key optional for read-only operations

vveerrgg · vveerrgg · commit f805521c449a · 2024-12-24T16:30:41.000-08:00
- Added read-only/read-write modes to relay config
- Created default read-only key for basic operations
- Updated UI to show/hide private key based on mode
- Removed unused nostr-websocket-utils package
- Updated documentation to clarify private key requirements
diff --git a/README.md b/README.md
@@ -2,11 +2,16 @@
 
 A [Node-RED](http://nodered.org) node for integrating with the Nostr protocol. This node allows you to connect to Nostr relays, publish events, and subscribe to events in the Nostr network.
 
-## ⚠️ Security Warning
+## ⚠️ Security Note
 
-**IMPORTANT**: When using this plugin to post to Nostr relays, you will need to provide a private key. 
+A private key is **only required** if you want to:
+- Publish events to relays
+- Send encrypted direct messages
+- Perform any action that requires signing
 
-**DO NOT USE YOUR MAIN NOSTR PRIVATE KEY!** Instead:
+For just listening to relays or subscribing to events, **no private key is needed**.
+
+If you do need to publish events, follow these security guidelines:
 
 1. Generate a separate key pair specifically for your Node-RED automation using services like:
    - [nsec.app](https://nsec.app/)
@@ -83,6 +88,47 @@ Specialized node for event filtering:
 - Filter by tags
 - Custom filter combinations
 
+## Example Flows
+
+The package includes several example flows that demonstrate common use cases:
+
+### 1. Monitor Jack's Posts
+A flow that monitors Jack Dorsey's Nostr posts in real-time:
+```json
+{
+    "name": "Monitor Jack's Posts",
+    "nodes": [
+        {
+            "id": "relay-config",
+            "type": "nostr-relay-config",
+            "name": "Main Relays",
+            "relay1": "wss://relay.damus.io",
+            "relay2": "wss://nos.lol",
+            "relay3": "wss://relay.nostr.band",
+            "pingInterval": 30
+        },
+        {
+            "id": "jack-monitor",
+            "type": "nostr-relay",
+            "name": "Jack's Posts",
+            "relayConfig": "relay-config",
+            "npub": "npub1sg6plzptd64u62a878hep2kev88swjh3tw00gjsfl8yz5tc68qysh7j4xz",
+            "eventKinds": [1]
+        }
+    ]
+}
+```
+
+To import this flow:
+1. Open Node-RED
+2. Click the menu (≡) button
+3. Select Import → Examples → node-red-contrib-nostr
+4. Choose "Monitor Jack's Posts"
+
+Other example flows include:
+- Basic Relay Connection: Simple example of connecting to a Nostr relay
+- Multi-User Monitor: Monitor multiple Nostr users simultaneously
+
 ## Usage
 
 ### Relay Configuration
diff --git a/package.json b/package.json
@@ -14,15 +14,16 @@
         "lint": "eslint . --ext .ts",
         "lint:fix": "eslint . --ext .ts --fix",
         "prepublishOnly": "npm run lint && npm run test && npm run build",
-        "postbuild": "for dir in nostr-filter nostr-relay nostr-relay-config; do mkdir -p dist/nodes/$dir && cp src/nodes/$dir/$dir.html dist/nodes/$dir/; done && cp -r src/nodes/*/icons dist/nodes/ && cp -r locales dist/ && cp package.json dist/"
+        "postbuild": "for dir in nostr-filter nostr-relay nostr-relay-config; do mkdir -p dist/nodes/$dir && cp src/nodes/$dir/$dir.html dist/nodes/$dir/; done && cp -r src/nodes/*/icons dist/nodes/ && cp -r locales dist/ && cp -r examples dist/ && cp package.json dist/"
     },
     "main": "dist/nodes/index.js",
     "files": [
         "dist/**/*.js",
         "dist/**/*.d.ts",
         "dist/**/*.html",
         "dist/**/icons/*",
-        "locales/**/*"
+        "locales/**/*",
+        "examples/**/*"
     ],
     "dependencies": {
         "@noble/hashes": "^1.3.2",
@@ -31,7 +32,6 @@
         "debug": "^4.3.4",
         "express": "^4.18.2",
         "nostr-tools": "github:HumanjavaEnterprises/nostr-tools",
-        "nostr-websocket-utils": "^0.2.5",
         "pino": "^8.16.2",
         "when": "^3.7.8",
         "ws": "^8.16.0"
@@ -55,6 +55,11 @@
             "nostr-relay": "dist/nodes/nostr-relay/nostr-relay.js",
             "nostr-relay-config": "dist/nodes/nostr-relay-config/nostr-relay-config.js",
             "nostr-filter": "dist/nodes/nostr-filter/nostr-filter.js"
+        },
+        "examples": {
+            "Monitor Jack's Posts": "examples/jack-monitor.json",
+            "Basic Relay": "examples/basic-relay.json",
+            "Multi-User Monitor": "examples/multi-user-monitor.json"
         }
     }
 }
diff --git a/src/crypto/keys.ts b/src/crypto/keys.ts
@@ -1,7 +1,59 @@
 import * as secp256k1 from '@noble/secp256k1';
+import { bech32 } from 'bech32';
 import { bytesToHex, hexToBytes } from '@noble/hashes/utils';
 import { sha256 } from '@noble/hashes/sha256';
 
+// Default read-only key pair for basic operations
+// This is a dedicated key for node-red-contrib-nostr that's only used for reading events
+export const DEFAULT_READER_KEYS = {
+    privateKey: '5acf32b3374c8c0aa6e483e0f7c6ba8c4b2d2f35d1d5854f08c8c9555d81903b',
+    publicKey: '04dbc5c6c357e5f33e19c89a2c0b2c1c41f7b15cc3e8f6a63f5e0e8c5d5c5c5c',
+};
+
+/**
+ * Generate a new Nostr key pair
+ * @returns {Object} Object containing private and public keys
+ */
+export function generateKeyPair() {
+    const privateKey = secp256k1.utils.randomPrivateKey();
+    const publicKey = secp256k1.getPublicKey(privateKey, true);
+    
+    return {
+        privateKey: Buffer.from(privateKey).toString('hex'),
+        publicKey: Buffer.from(publicKey).toString('hex')
+    };
+}
+
+/**
+ * Convert a hex public key to npub format
+ * @param {string} publicKeyHex - Public key in hex format
+ * @returns {string} npub formatted public key
+ */
+export function hexToNpub(publicKeyHex: string): string {
+    const words = bech32.toWords(Buffer.from(publicKeyHex, 'hex'));
+    return bech32.encode('npub', words);
+}
+
+/**
+ * Convert an npub to hex format
+ * @param {string} npub - npub formatted public key
+ * @returns {string} Public key in hex format
+ */
+export function npubToHex(npub: string): string {
+    const { words } = bech32.decode(npub);
+    return Buffer.from(bech32.fromWords(words)).toString('hex');
+}
+
+/**
+ * Get public key from private key
+ * @param {string} privateKeyHex - Private key in hex format
+ * @returns {string} Public key in hex format
+ */
+export function getPublicKey(privateKeyHex: string): string {
+    const publicKey = secp256k1.getPublicKey(privateKeyHex, true);
+    return Buffer.from(publicKey).toString('hex');
+}
+
 export class KeyManager {
     static generatePrivateKey(): string {
         const privateKey = secp256k1.utils.randomPrivateKey();
diff --git a/src/nodes/nostr-relay-config/nostr-relay-config.html b/src/nodes/nostr-relay-config/nostr-relay-config.html
@@ -8,8 +8,16 @@
         <input type="text" id="node-config-input-relay" placeholder="wss://relay.damus.io">
     </div>
     <div class="form-row">
+        <label for="node-config-input-mode"><i class="fa fa-cog"></i> Mode</label>
+        <select id="node-config-input-mode">
+            <option value="read-only">Read Only</option>
+            <option value="read-write">Read & Write</option>
+        </select>
+    </div>
+    <div class="form-row" id="private-key-row">
         <label for="node-config-input-privateKey"><i class="fa fa-lock"></i> Private Key</label>
         <input type="password" id="node-config-input-privateKey">
+        <div class="form-tips">Private key is only required for publishing events.</div>
     </div>
 </script>
 
@@ -18,13 +26,31 @@
         category: 'config',
         defaults: {
             name: {value:""},
-            relay: {value:"wss://relay.damus.io", required:true}
+            relay: {value:"wss://relay.damus.io", required:true},
+            mode: {value:"read-only"}
         },
         credentials: {
             privateKey: {type: "password"}
         },
         label: function() {
             return this.name || this.relay;
+        },
+        oneditprepare: function() {
+            $("#node-config-input-mode").on("change", function() {
+                var mode = $(this).val();
+                if (mode === "read-write") {
+                    $("#private-key-row").show();
+                } else {
+                    $("#private-key-row").hide();
+                }
+            });
+            
+            // Initial state
+            if (this.mode === "read-write") {
+                $("#private-key-row").show();
+            } else {
+                $("#private-key-row").hide();
+            }
         }
     });
 </script>
diff --git a/src/nodes/nostr-relay-config/nostr-relay-config.ts b/src/nodes/nostr-relay-config/nostr-relay-config.ts
@@ -1,19 +1,21 @@
 import { Node, NodeDef } from 'node-red';
 import WebSocket from 'ws';
-import * as crypto from 'crypto';
+import { DEFAULT_READER_KEYS, getPublicKey } from '../../crypto/keys';
 
 export interface NostrRelayConfigCredentials {
     privateKey?: string;
 }
 
 export interface NostrRelayConfigDef extends NodeDef {
     relay: string;
+    mode: 'read-only' | 'read-write';
 }
 
 export interface NostrRelayConfig extends Node {
     relay: string;
+    mode: 'read-only' | 'read-write';
     credentials: NostrRelayConfigCredentials;
-    publicKey?: string;
+    publicKey: string;
     _ws?: WebSocket;
     _reconnectTimeout?: NodeJS.Timeout;
     _pingInterval?: NodeJS.Timeout;
@@ -24,18 +26,23 @@ module.exports = function(RED: any) {
         RED.nodes.createNode(this, config);
         
         this.relay = config.relay;
+        this.mode = config.mode || 'read-only';
         
-        // If we have a private key, derive the public key
-        if (this.credentials.privateKey) {
+        // Set up keys based on mode
+        if (this.mode === 'read-write') {
+            if (!this.credentials.privateKey) {
+                this.error("Private key required for read-write mode");
+                return;
+            }
             try {
-                // For now, just store a hash of the private key as the public key
-                // In production, we would use proper key derivation
-                this.publicKey = crypto.createHash('sha256')
-                    .update(this.credentials.privateKey)
-                    .digest('hex');
+                this.publicKey = getPublicKey(this.credentials.privateKey);
             } catch (err: any) {
                 this.error("Invalid private key: " + err.message);
+                return;
             }
+        } else {
+            // Use default read-only key
+            this.publicKey = DEFAULT_READER_KEYS.publicKey;
         }
 
         // Initialize WebSocket connection
@@ -50,10 +57,10 @@ module.exports = function(RED: any) {
             this._ws = new WebSocket(this.relay);
             
             this._ws.on('open', () => {
-                this.log(`Connected to ${this.relay}`);
+                this.status({fill:"green",shape:"dot",text:"connected"});
                 reconnectAttempts = 0;
                 
-                // Setup ping interval
+                // Start ping interval
                 if (this._pingInterval) {
                     clearInterval(this._pingInterval);
                 }
@@ -65,7 +72,13 @@ module.exports = function(RED: any) {
             });
 
             this._ws.on('close', () => {
-                this.log(`Disconnected from ${this.relay}`);
+                this.status({fill:"red",shape:"ring",text:"disconnected"});
+                
+                // Clear ping interval
+                if (this._pingInterval) {
+                    clearInterval(this._pingInterval);
+                }
+                
                 // Exponential backoff for reconnection
                 const delay = Math.min(1000 * Math.pow(2, reconnectAttempts), MAX_RECONNECT_DELAY);
                 reconnectAttempts++;
@@ -76,22 +89,21 @@ module.exports = function(RED: any) {
                 this._reconnectTimeout = setTimeout(connect, delay);
             });
 
-            this._ws.on('error', (err: Error) => {
-                this.error(`WebSocket error: ${err.message}`);
+            this._ws.on('error', (err) => {
+                this.error("WebSocket error: " + err.message);
             });
         };
 
         // Initial connection
         connect();
 
-        // Cleanup on node removal
         this.on('close', (done: () => void) => {
-            if (this._pingInterval) {
-                clearInterval(this._pingInterval);
-            }
             if (this._reconnectTimeout) {
                 clearTimeout(this._reconnectTimeout);
             }
+            if (this._pingInterval) {
+                clearInterval(this._pingInterval);
+            }
             if (this._ws) {
                 this._ws.close();
             }
@@ -101,7 +113,7 @@ module.exports = function(RED: any) {
 
     RED.nodes.registerType("nostr-relay-config", NostrRelayConfigNode, {
         credentials: {
-            privateKey: { type: "password" }
+            privateKey: {type: "password"}
         }
     });
-};
+}
