feat: add JWT secret validation and bump version to 0.3.3

Author: vveerrgg

.github/workflows/publish.yml

@@ -7,15 +7,30 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
+      
       - uses: actions/setup-node@v4
         with:
           node-version: '18.x'
           registry-url: 'https://registry.npmjs.org'
-      - run: npm ci
-      - run: npm test
-      - run: npm run build
-      - run: npm publish --access public
+          scope: '@humanjavaenterprises'
+          
+      - name: Install dependencies
+        run: npm ci
+        
+      - name: Run tests
+        run: npm test
+        
+      - name: Build package
+        run: npm run build
+        
+      - name: Publish to NPM
+        run: npm publish --access public
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

README.md

@@ -92,11 +92,15 @@ This middleware follows key principles that promote security, auditability, and
 ### Basic Setup
 ```javascript
 const auth = new NostrAuthMiddleware({
-  jwtSecret: process.env.JWT_SECRET,  // Required
+  jwtSecret: process.env.JWT_SECRET,  // Required in production
   expiresIn: '24h'                    // Optional, defaults to '24h'
 });
 ```
 
+### Environment-Specific Behavior
+- **Production**: JWT_SECRET is required. The middleware will throw an error if not provided
+- **Development**: A default development-only secret is used if JWT_SECRET is not provided (not secure for production use)
+
 ### JWT Operations
 
 #### Token Generation

package.json

@@ -1,6 +1,6 @@
 {
   "name": "nostr-auth-middleware",
-  "version": "0.3.2",
+  "version": "0.3.3",
   "description": "A focused, security-first authentication middleware for Nostr applications",
   "author": "vveerrgg",
   "type": "module",

src/__tests__/nostr-auth.middleware.test.ts

@@ -2,7 +2,7 @@ import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { Request, Response, NextFunction } from 'express';
 import { NostrAuthMiddleware } from '../middleware/nostr-auth.middleware.js';
 import { NostrService } from '../services/nostr.service.js';
-import { NostrEvent, NostrChallenge, VerificationResult, NostrAuthConfig, JWTExpiresIn } from '../types/index.js';
+import type { NostrEvent, NostrChallenge, VerificationResult, NostrAuthConfig, JWTExpiresIn } from '../types.js';
 
 // Mock NostrService
 vi.mock('../services/nostr.service.js');
@@ -14,14 +14,14 @@ describe('NostrAuthMiddleware', () => {
   let mockNext: NextFunction;
   let mockNostrService: NostrService;
 
-  const testConfig: NostrAuthConfig = {
+  const testConfig: Partial<NostrAuthConfig> = {
     jwtSecret: 'test-secret-key',
-    jwtExpiresIn: '24h' satisfies JWTExpiresIn,
+    jwtExpiresIn: '24h' as JWTExpiresIn,
     eventTimeoutMs: 5000,
     keyManagementMode: 'development' as const,
     port: 3000,
     nodeEnv: 'test',
-    corsOrigins: '*',
+    corsOrigin: '*',
     supabaseUrl: 'http://localhost:54321',
     supabaseKey: 'test-key',
     testMode: true

src/config/index.ts

@@ -54,7 +54,9 @@ export const config: NostrConfig = {
   privateKey: process.env.SERVER_PRIVATE_KEY,
   keyManagementMode: (process.env.KEY_MANAGEMENT_MODE as 'development' | 'production') || 'development',
   // Auth config
-  jwtSecret: process.env.JWT_SECRET || 'maiqr_nostr_auth_secret_key_2024',
+  jwtSecret: process.env.JWT_SECRET || (process.env.NODE_ENV === 'production' 
+    ? (() => { throw new Error('JWT_SECRET is required in production mode') })()
+    : 'development_jwt_secret_do_not_use_in_production'),
   jwtExpiresIn: '1h',
   testMode: process.env.TEST_MODE === 'true',
   // Optional configs
@@ -111,7 +113,9 @@ export async function loadConfig(envPath?: string): Promise<NostrConfig> {
     publicKey: process.env.SERVER_PUBLIC_KEY,
     keyManagementMode: process.env.KEY_MANAGEMENT_MODE as 'development' | 'production',
     // Auth config
-    jwtSecret: process.env.JWT_SECRET,
+    jwtSecret: process.env.JWT_SECRET || (process.env.NODE_ENV === 'production' 
+      ? (() => { throw new Error('JWT_SECRET is required in production mode') })()
+      : 'development_jwt_secret_do_not_use_in_production'),
     jwtExpiresIn: process.env.JWT_EXPIRES_IN || '24h',
     testMode: process.env.NODE_ENV !== 'production',
     // Optional configs

src/middleware/nostr-auth.middleware.ts

@@ -5,15 +5,16 @@
 
 import { Request, Response, NextFunction, Router } from 'express';
 import { NostrService } from '../services/nostr.service.js';
-import { NostrEvent, NostrAuthConfig } from '../types.js';
+import type { NostrEvent, NostrAuthConfig, JWTExpiresIn } from '../types.js';
 import { createLogger } from '../utils/logger.js';
 
 const logger = createLogger('NostrAuthMiddleware');
 
-const DEFAULT_CONFIG: Required<Pick<NostrAuthConfig, 'keyManagementMode' | 'eventTimeoutMs' | 'jwtExpiresIn'>> = {
+const DEFAULT_CONFIG: Required<Pick<NostrAuthConfig, 'keyManagementMode' | 'eventTimeoutMs' | 'jwtExpiresIn' | 'port'>> = {
   keyManagementMode: 'development',
   eventTimeoutMs: 300000, // 5 minutes
-  jwtExpiresIn: '1h'
+  jwtExpiresIn: '1h' as JWTExpiresIn,
+  port: 3000 // Default port
 };
 
 /**
@@ -37,14 +38,15 @@ export class NostrAuthMiddleware {
     }
 
     // Ensure required properties are present with defaults
-    const fullConfig = {
+    const fullConfig: NostrAuthConfig = {
       ...DEFAULT_CONFIG,
       ...config,
       jwtSecret: config.jwtSecret,
+      port: config.port || DEFAULT_CONFIG.port,
       eventTimeoutMs: config.eventTimeoutMs || DEFAULT_CONFIG.eventTimeoutMs,
       jwtExpiresIn: config.jwtExpiresIn || DEFAULT_CONFIG.jwtExpiresIn,
       keyManagementMode: config.keyManagementMode || DEFAULT_CONFIG.keyManagementMode
-    } as NostrAuthConfig;
+    };
 
     this.nostrService = nostrService || new NostrService(fullConfig);
     this.router = Router();

src/types.ts

@@ -66,10 +66,11 @@ export interface NostrAuthConfig {
  */
 export interface NostrChallenge {
   id: string;
+  pubkey: string;
   challenge: string;
+  event?: NostrEvent;
   created_at: number;
   expires_at: number;
-  pubkey: string;
 }
 
 /**

src/types/index.ts

@@ -8,6 +8,12 @@ import { NostrEvent } from '../interfaces/nostr.interface.js';
 
 export { NostrEvent };
 
+/**
+ * Type representing JWT expiration time
+ * @type {string}
+ */
+export type JWTExpiresIn = string;
+
 /**
  * Interface representing a Nostr authentication challenge
  * @interface NostrChallenge
@@ -130,9 +136,9 @@ export interface NostrAuthConfig extends SecurityConfig {
   supabaseKey?: string;
 
   /** Secret for JWT signing */
-  jwtSecret?: string;
+  jwtSecret: string;
   /** JWT expiration time */
-  jwtExpiresIn?: string;
+  jwtExpiresIn: JWTExpiresIn;
   /** Enable test mode */
   testMode?: boolean;
 }