fix: JWT algorithm pinning, timing-safe comparisons, timestamp validation, challenge store

HIGH fixes:
- Pin JWT to HS256 in both sign() and verify() (prevents algorithm confusion)
- Constant-time API key comparison via crypto.timingSafeEqual (2 locations)
- Event timestamp validation: reject >5min old or >60s future events
- In-memory challenge store when Supabase unavailable (was completely
  bypassing challenge verification without it)
- Browser fetches challenges from server instead of generating locally

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

src/browser/nostr-browser-auth.ts

@@ -26,27 +26,42 @@ export interface NostrBrowserConfig {
   challengeTemplate?: string;
   /** Timeout in milliseconds for getPublicKey and signEvent operations */
   timeout?: number;
+  /** Server URL for fetching challenges (e.g., 'https://auth.example.com') */
+  serverUrl?: string;
 }
 
 export class NostrBrowserAuth {
   private readonly kind: number;
   private readonly timeout: number;
   private readonly challengeTemplate: string;
+  private readonly serverUrl: string;
 
   constructor(config?: NostrBrowserConfig) {
     this.kind = config?.customKind || 22242;
     this.timeout = config?.timeout || 30000;
     this.challengeTemplate = config?.challengeTemplate || 'Sign this message to authenticate: %challenge%';
+    this.serverUrl = config?.serverUrl || '';
   }
 
   /**
-   * Creates a challenge for authentication
+   * Fetches a challenge from the server for authentication
+   * @param {string} pubkey - The public key to request a challenge for
    * @returns {Promise<{challenge: string, timestamp: number}>}
+   * @throws {Error} When the server URL is not configured or the request fails
    */
-  async createChallenge(): Promise<{ challenge: string; timestamp: number }> {
-    const challenge = Array.from(crypto.getRandomValues(new Uint8Array(32)), b => b.toString(16).padStart(2, '0')).join('');
+  async createChallenge(pubkey: string): Promise<{ challenge: string; timestamp: number }> {
+    if (!this.serverUrl) {
+      throw new Error('Server URL is required to fetch challenges. Set serverUrl in NostrBrowserConfig.');
+    }
+
+    const response = await fetch(`${this.serverUrl}/challenge/${pubkey}`);
+    if (!response.ok) {
+      throw new Error('Failed to get challenge from server');
+    }
+
+    const data = await response.json();
     const timestamp = Math.floor(Date.now() / 1000);
-    return { challenge, timestamp };
+    return { challenge: data.challenge, timestamp };
   }
 
   /**
@@ -69,8 +84,8 @@ export class NostrBrowserAuth {
       // Step 1: Get public key and request read permission
       const pubkey = await window.nostr.getPublicKey();
 
-      // Step 2: Create a challenge
-      const { challenge, timestamp } = await this.createChallenge();
+      // Step 2: Fetch a challenge from the server
+      const { challenge, timestamp } = await this.createChallenge(pubkey);
 
       // Step 3: Request signature permission by asking user to sign the challenge
       const event = {

src/middleware/security.middleware.ts

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import rateLimit from 'express-rate-limit';
+import crypto from 'crypto';
 import { createLogger } from '../utils/logger.js';
 
 const logger = createLogger('SecurityMiddleware');
@@ -9,7 +10,22 @@ export const validateApiKey = (req: Request, res: Response, next: NextFunction)
   const apiKey = req.header('X-API-Key');
   const validApiKeys = process.env.API_KEYS?.split(',') || [];
 
-  if (!apiKey || !validApiKeys.includes(apiKey)) {
+  if (!apiKey) {
+    logger.warn(`Missing API key from IP: ${req.ip}`);
+    return res.status(401).json({ error: 'Invalid API key' });
+  }
+
+  const incomingHash = crypto.createHash('sha256').update(apiKey).digest();
+  const isValid = validApiKeys.some(validKey => {
+    const validHash = crypto.createHash('sha256').update(validKey).digest();
+    try {
+      return crypto.timingSafeEqual(incomingHash, validHash);
+    } catch {
+      return false;
+    }
+  });
+
+  if (!isValid) {
     logger.warn(`Invalid API key attempt from IP: ${req.ip}`);
     return res.status(401).json({ error: 'Invalid API key' });
   }

src/services/nostr.service.ts

@@ -25,6 +25,8 @@ type SupabaseChallenge = {
 export class NostrService {
   private readonly config: NostrAuthConfig;
   private readonly supabase?: SupabaseClient;
+  private challengeStore: Map<string, { challenge: string; pubkey: string; createdAt: number }> = new Map();
+  private cleanupInterval?: ReturnType<typeof setInterval>;
 
   constructor(config: NostrAuthConfig) {
     // Set default values for required properties
@@ -42,6 +44,25 @@ export class NostrService {
     if (config.supabaseUrl && config.supabaseKey) {
       this.supabase = createClient(config.supabaseUrl, config.supabaseKey);
     }
+
+    // Periodically clean up expired challenges from in-memory store (every 60 seconds)
+    this.cleanupInterval = setInterval(() => {
+      const now = Date.now();
+      for (const [id, entry] of this.challengeStore) {
+        if (now - entry.createdAt > this.config.eventTimeoutMs) {
+          this.challengeStore.delete(id);
+        }
+      }
+    }, 60000);
+  }
+
+  /**
+   * Stops the periodic cleanup interval (for graceful shutdown)
+   */
+  destroy(): void {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
   }
 
   /**
@@ -67,6 +88,13 @@ export class NostrService {
       } catch (error) {
         logger.error('Failed to store challenge:', error);
       }
+    } else {
+      // Store in in-memory challenge store as fallback
+      this.challengeStore.set(challenge.id, {
+        challenge: challenge.challenge,
+        pubkey,
+        createdAt: Date.now()
+      });
     }
 
     return challenge.challenge;
@@ -106,6 +134,28 @@ export class NostrService {
           .from('challenges')
           .delete()
           .eq('id', data.id);
+      } else {
+        // Verify against in-memory challenge store
+        let matchedId: string | null = null;
+
+        for (const [id, entry] of this.challengeStore) {
+          if (entry.challenge === event.content && entry.pubkey === event.pubkey) {
+            // Check if challenge has expired (5 min TTL)
+            if (Date.now() - entry.createdAt > this.config.eventTimeoutMs) {
+              this.challengeStore.delete(id);
+              return { success: false, error: 'Challenge expired' };
+            }
+            matchedId = id;
+            break;
+          }
+        }
+
+        if (!matchedId) {
+          return { success: false, error: 'Challenge not found' };
+        }
+
+        // Delete used challenge (single-use)
+        this.challengeStore.delete(matchedId);
       }
 
       return {

src/utils/api-key.utils.ts

@@ -5,7 +5,7 @@
  * @security This module is critical for API security. Handle keys with care.
  */
 
-import { createHash, randomBytes } from 'crypto';
+import { createHash, randomBytes, timingSafeEqual } from 'crypto';
 import { createLogger } from './logger.js';
 
 const logger = createLogger('APIKeyUtils');
@@ -80,7 +80,11 @@ export function hashApiKey(apiKey: string): string {
 export function verifyApiKey(apiKey: string, hashedApiKey: string): boolean {
   try {
     const hash = hashApiKey(apiKey);
-    return hash === hashedApiKey;
+    try {
+      return timingSafeEqual(Buffer.from(hash, 'hex'), Buffer.from(hashedApiKey, 'hex'));
+    } catch {
+      return false;
+    }
   } catch (error) {
     logger.error('Error verifying API key:', { error: error instanceof Error ? error.message : String(error) });
     return false;

src/utils/jwt.utils.ts

@@ -31,7 +31,7 @@ type JWTExpiresIn = `${number}h` | `${number}m` | `${number}s` | `${number}d`;
  */
 export function generateJWT(pubkey: string, secret: string, expiresIn: JWTExpiresIn): string {
   try {
-    return jwt.sign({ pubkey }, secret, { expiresIn });
+    return jwt.sign({ pubkey }, secret, { expiresIn, algorithm: 'HS256' });
   } catch (error) {
     logger.error('Error generating JWT:', error);
     throw error;
@@ -54,7 +54,7 @@ export function generateJWT(pubkey: string, secret: string, expiresIn: JWTExpire
  */
 export function verifyJWT(token: string, secret: string): { pubkey: string } {
   try {
-    const decoded = jwt.verify(token, secret) as { pubkey: string };
+    const decoded = jwt.verify(token, secret, { algorithms: ['HS256'] }) as { pubkey: string };
     return decoded;
   } catch (error) {
     logger.error('Error verifying JWT:', { error: error instanceof Error ? error.message : String(error) });

src/validators/event.validator.ts

@@ -48,6 +48,18 @@ export async function validateEvent(event: NostrEvent): Promise<VerificationResu
       return { success: false, error: 'Invalid signature' };
     }
 
+    // Validate timestamp to prevent replay attacks
+    const now = Math.floor(Date.now() / 1000);
+    if (!event.created_at || typeof event.created_at !== 'number') {
+      return { success: false, error: 'Missing or invalid created_at timestamp' };
+    }
+    if (event.created_at < now - 300) {
+      return { success: false, error: 'Event timestamp too old' };
+    }
+    if (event.created_at > now + 60) {
+      return { success: false, error: 'Event timestamp too far in the future' };
+    }
+
     return { success: true, pubkey: event.pubkey };
   } catch (error) {
     logger.error('Event validation error:', { error: error instanceof Error ? error.message : String(error) });