feat: add NIP-44 settings encryption, upgrade to nostr-crypto-utils v0.5.1

Add opt-in NIP-44 (ChaCha20 + HMAC) encryption for settings stored via
Nostr DMs. SettingsManager now accepts an options-based constructor with
encryptionVersion and privateKey. Legacy 2-arg constructor defaults to
NIP-04 for backward compatibility. Graceful fallback on read allows
smooth migration from NIP-04 to NIP-44.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

package-lock.json

@@ -54,7 +54,7 @@
     "@scure/base": "^1.2.6",
     "@simplewebauthn/browser": "^8.3.7",
     "@simplewebauthn/server": "^8.3.5",
-    "nostr-crypto-utils": "^0.4.15"
+    "nostr-crypto-utils": "^0.5.1"
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",

package.json

@@ -1,14 +1,67 @@
-import { NostrService, NostrEvent } from '../types/nostr';
-import { Settings } from '../types/settings';
+import { nip44 } from 'nostr-crypto-utils';
+import { hexToBytes } from 'nostr-crypto-utils';
+import type { NostrService, NostrEvent, EncryptionVersion } from '../types/nostr';
+import type { Settings } from '../types/settings';
+
+/**
+ * Options for SettingsManager construction.
+ */
+export interface SettingsManagerOptions {
+  /** The NostrService implementation for sending/querying DMs */
+  nostrService: NostrService;
+  /** The user's hex-encoded public key */
+  userPubkey: string;
+  /**
+   * The user's hex-encoded private key.
+   * Required when encryptionVersion is 'nip44' for deriving conversation keys.
+   * When using 'nip04', the consuming application handles encryption in sendDirectMessage.
+   */
+  privateKey?: string;
+  /**
+   * Encryption version to use for settings DMs.
+   * - 'nip04': Legacy NIP-04 encryption (default). Encryption is handled by the
+   *   consuming application's NostrService.sendDirectMessage implementation.
+   * - 'nip44': Modern NIP-44 encryption. SettingsManager encrypts/decrypts content
+   *   directly using the provided privateKey before passing to NostrService.
+   */
+  encryptionVersion?: EncryptionVersion;
+}
 
 export class SettingsManager {
   private nostrService: NostrService;
   private userPubkey: string;
+  private privateKey: string | undefined;
+  private encryptionVersion: EncryptionVersion;
   private cachedSettings: Settings | null = null;
 
-  constructor(nostrService: NostrService, userPubkey: string) {
-    this.nostrService = nostrService;
-    this.userPubkey = userPubkey;
+  constructor(options: SettingsManagerOptions);
+  /**
+   * @deprecated Use the options object constructor instead.
+   * Retained for backward compatibility.
+   */
+  constructor(nostrService: NostrService, userPubkey: string);
+  constructor(
+    optionsOrService: SettingsManagerOptions | NostrService,
+    userPubkey?: string
+  ) {
+    if (userPubkey !== undefined) {
+      // Legacy two-argument constructor
+      this.nostrService = optionsOrService as NostrService;
+      this.userPubkey = userPubkey;
+      this.encryptionVersion = 'nip04';
+    } else {
+      const opts = optionsOrService as SettingsManagerOptions;
+      this.nostrService = opts.nostrService;
+      this.userPubkey = opts.userPubkey;
+      this.privateKey = opts.privateKey;
+      this.encryptionVersion = opts.encryptionVersion ?? 'nip04';
+
+      if (this.encryptionVersion === 'nip44' && !this.privateKey) {
+        throw new Error(
+          'privateKey is required when using NIP-44 encryption'
+        );
+      }
+    }
   }
 
   /**
@@ -24,6 +77,51 @@ export class SettingsManager {
     };
   }
 
+  /**
+   * Encrypt content using NIP-44.
+   * @param plaintext - The plaintext content to encrypt
+   * @returns Base64-encoded NIP-44 encrypted payload
+   */
+  private encryptNip44(plaintext: string): string {
+    if (!this.privateKey) {
+      throw new Error('privateKey is required for NIP-44 encryption');
+    }
+    const privkeyBytes = hexToBytes(this.privateKey);
+    const conversationKey = nip44.getConversationKey(privkeyBytes, this.userPubkey);
+    return nip44.encrypt(plaintext, conversationKey);
+  }
+
+  /**
+   * Decrypt content using NIP-44.
+   * @param payload - Base64-encoded NIP-44 encrypted payload
+   * @returns Decrypted plaintext string
+   */
+  private decryptNip44(payload: string): string {
+    if (!this.privateKey) {
+      throw new Error('privateKey is required for NIP-44 decryption');
+    }
+    const privkeyBytes = hexToBytes(this.privateKey);
+    const conversationKey = nip44.getConversationKey(privkeyBytes, this.userPubkey);
+    return nip44.decrypt(payload, conversationKey);
+  }
+
+  /**
+   * Attempt to decrypt event content, trying NIP-44 first if configured,
+   * then falling back to treating content as plaintext JSON (for NIP-04,
+   * where the NostrService handles decryption before returning events).
+   */
+  private decryptContent(event: NostrEvent): string {
+    if (this.encryptionVersion === 'nip44' && this.privateKey) {
+      try {
+        return this.decryptNip44(event.content);
+      } catch {
+        // Fall through to try as plain JSON (may be a legacy NIP-04 event
+        // already decrypted by the NostrService)
+      }
+    }
+    return event.content;
+  }
+
   /**
    * Get settings from Nostr DMs
    */
@@ -35,11 +133,12 @@ export class SettingsManager {
         kinds: [4], // kind 4 is for encrypted direct messages
         limit: 100
       });
-      
+
       // Filter for settings DMs
       const settingsDMs = events.filter((event: NostrEvent) => {
         try {
-          const content = JSON.parse(event.content);
+          const decrypted = this.decryptContent(event);
+          const content = JSON.parse(decrypted);
           return content.type === 'settings';
         } catch {
           return false;
@@ -51,7 +150,8 @@ export class SettingsManager {
       }
 
       // Get latest settings
-      const latestSettings = JSON.parse(settingsDMs[0].content);
+      const decrypted = this.decryptContent(settingsDMs[0]);
+      const latestSettings = JSON.parse(decrypted);
       return latestSettings.data;
     } catch (error) {
       console.error('Error getting settings from DMs:', error);
@@ -78,7 +178,10 @@ export class SettingsManager {
   }
 
   /**
-   * Save settings to DM
+   * Save settings to DM.
+   * When using NIP-44, content is encrypted before passing to NostrService.
+   * When using NIP-04, content is passed as plaintext JSON and the
+   * NostrService.sendDirectMessage implementation handles encryption.
    */
   async saveSettings(settings: Settings): Promise<void> {
     const message = {
@@ -87,7 +190,13 @@ export class SettingsManager {
       timestamp: Date.now()
     };
 
-    await this.nostrService.sendDirectMessage(this.userPubkey, JSON.stringify(message));
+    let content = JSON.stringify(message);
+
+    if (this.encryptionVersion === 'nip44') {
+      content = this.encryptNip44(content);
+    }
+
+    await this.nostrService.sendDirectMessage(this.userPubkey, content);
     this.cachedSettings = settings;
   }
 
@@ -100,4 +209,11 @@ export class SettingsManager {
     await this.saveSettings(updated);
     return updated;
   }
+
+  /**
+   * Get the current encryption version
+   */
+  getEncryptionVersion(): EncryptionVersion {
+    return this.encryptionVersion;
+  }
 }

src/settings/settings-manager.ts

@@ -18,6 +18,13 @@ export interface NostrFilter {
   limit?: number;
 }
 
+/**
+ * Encryption version for Nostr direct messages.
+ * - 'nip04': Legacy NIP-04 AES-CBC encryption (kind 4). Default for backward compat.
+ * - 'nip44': Modern NIP-44 ChaCha20+HMAC encryption (kind 44). Opt-in.
+ */
+export type EncryptionVersion = 'nip04' | 'nip44';
+
 export interface NostrService {
   sendDirectMessage(pubkey: string, content: string): Promise<NostrEvent>;
   queryEvents(filter: NostrFilter): Promise<NostrEvent[]>;

src/types/nostr.ts

@@ -2,13 +2,17 @@
  * Settings types for the nostr-biometric-login-service
  */
 
+import type { EncryptionVersion } from './nostr';
+
 export interface Settings {
   npub: string;
   relays: string[];
   magicLinkExpiry: number;
   biometricEnabled: boolean;
   sessionDuration: number;
   lastLogin?: number;
+  /** Encryption version used for settings DMs. Defaults to 'nip04'. */
+  encryptionVersion?: EncryptionVersion;
 }
 
 export interface SettingsUpdate {
@@ -17,6 +21,7 @@ export interface SettingsUpdate {
   magicLinkExpiry?: number;
   biometricEnabled?: boolean;
   sessionDuration?: number;
+  encryptionVersion?: EncryptionVersion;
 }
 
 export interface SessionState {