Elegantly secure your Express.js APIs with the Passport-Nostr strategy, an easy-to-integrate solution for simple authentication using the Passport.js middleware.
Integrate Passport-Nostr into your project using npm or Yarn:
npm install passport-nostr
# OR
yarn add passport-nostr
Implement the NostrStrategy in your Express.js application:
import passport from 'passport'
import NostrStrategy from 'passport-nostr'
passport.use(new NostrStrategy())
Secure your API endpoints effortlessly:
app.get(
'/protected',
passport.authenticate('nostr', { session: false }),
(req, res) => {
res.json({ message: 'This is a protected endpoint.' })
}
)
Passport-Nostr validates the Authorization
header of incoming HTTP requests. The header should contain a Nostr authentication event, encoded in Base64, that confirms the request has been authenticated by a specific user. This strategy employs the Nostr standards for a decentralized social network.
-
Extract and Decode: The
Authorization
header, prefixed with 'Nostr ', is extracted and decoded from Base64 to a JSON object. -
Event Verification: The decoded object should represent a Nostr event with:
kind
equal to27235
.method
tag matching the HTTP method of the request.u
tag matching the request’s URL.created_at
timestamp within a 60-second window of the current time.
-
Signature Verification: The event is authenticated by verifying its signature.
Here’s a simplified overview of the logic implemented in the Passport-Nostr strategy:
import PassportStrategy from 'passport-strategy'
import { verifySignature } from 'nostr-tools'
class NostrStrategy extends PassportStrategy {
// ... Constructor & other methods ...
authenticate(req, options) {
const authHeader = req.headers.authorization
const method = req.method
const url = req.protocol + '://' + req.get('host') + req.originalUrl
// Validate and authenticate...
const pubkey = isValidAuthorizationHeader(authHeader, method, url)
// Handle authentication results...
}
}
function isValidAuthorizationHeader(authorization, method, url) {
// Decode and parse the event from the Authorization header...
// Validate event details and signature...
// Return the public key if valid, otherwise false...
}
export default NostrStrategy
Upon receiving a request, the strategy:
- Extracts and decodes the Nostr event from the
Authorization
header. - Validates the event’s
kind
,method
,u
(URL), andcreated_at
(timestamp) against expected values and the request’s context. - Verifies the event’s signature to confirm authenticity.
- If the event is valid, the request is authenticated. Otherwise, authentication fails.
For detailed implementation and validations, refer to the strategy code snippet provided in your message.
Here’s a quick example to illustrate how Passport-Nostr can be implemented:
import express from 'express'
import passport from 'passport'
import NostrStrategy from 'passport-nostr'
const app = express()
passport.use(new NostrStrategy())
app.use(passport.initialize())
app.get(
'/protected',
passport.authenticate('nostr', { session: false }),
(req, res) => {
res.json({ message: 'Access Granted to Protected Endpoint!' })
}
)
app.listen(3344, () => {
console.log('Server is running on port 3344')
})
- API Key Protection: Use as a simple API key solution for securing your endpoints.
- Microservices: Safeguard internal microservices with minimal configuration.
- Prototyping: Quickly secure endpoints during the prototyping or development phase.
We welcome contributions to Passport-Nostr! Please see CONTRIBUTING.md for more details.
Passport-Nostr is MIT licensed.