feat: read shared profiles from iOS app via App Groups

vveerrgg · claude · vveerrgg · commit 1987f001a125 · 2026-02-22T18:28:29.000-08:00
Enable the Safari extension to read profiles shared by the iOS app
through the App Groups container and shared Keychain. On startup,
background.js calls sendNativeMessage to check for shared profiles
and merges them into local storage (new profiles added, existing
matched by pubKey). Adds App Groups + Keychain entitlements for
iOS App and Extension targets.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apple/NostrKey.xcodeproj/project.pbxproj b/apple/NostrKey.xcodeproj/project.pbxproj
@@ -113,6 +113,10 @@
 		A1000005000000000000000B /* security in Resources */ = {isa = PBXBuildFile; fileRef = A10000050000000000000013 /* security */; };
 		A1000006000000000000000A /* vault in Resources */ = {isa = PBXBuildFile; fileRef = A10000060000000000000014 /* vault */; };
 		A1000006000000000000000B /* vault in Resources */ = {isa = PBXBuildFile; fileRef = A10000060000000000000014 /* vault */; };
+		B1000003000000000000000A /* SharedStorage.swift in Sources */ = {isa = PBXBuildFile; fileRef = B1000001000000000000000A /* SharedStorage.swift */; };
+		B1000003000000000000000B /* SharedStorage.swift in Sources */ = {isa = PBXBuildFile; fileRef = B1000001000000000000000A /* SharedStorage.swift */; };
+		B1000004000000000000000A /* SharedKeychain.swift in Sources */ = {isa = PBXBuildFile; fileRef = B1000002000000000000000A /* SharedKeychain.swift */; };
+		B1000004000000000000000B /* SharedKeychain.swift in Sources */ = {isa = PBXBuildFile; fileRef = B1000002000000000000000A /* SharedKeychain.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -195,6 +199,10 @@
 		941B042E2978CDF900CA291E /* Icon-32.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Icon-32.png"; sourceTree = "<group>"; };
 		941B042F2978CDF900CA291E /* Icon-16.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Icon-16.png"; sourceTree = "<group>"; };
 		941B04302978CDF900CA291E /* Icon-64.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Icon-64.png"; sourceTree = "<group>"; };
+		B1000001000000000000000A /* SharedStorage.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SharedStorage.swift; sourceTree = "<group>"; };
+		B1000002000000000000000A /* SharedKeychain.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = SharedKeychain.swift; sourceTree = "<group>"; };
+		B1000005000000000000000A /* nostrkey.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = nostrkey.entitlements; sourceTree = "<group>"; };
+		B1000006000000000000000A /* nostrkey.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = nostrkey.entitlements; sourceTree = "<group>"; };
 		944A6E02299F2FBB0032C2E3 /* experimental */ = {isa = PBXFileReference; lastKnownFileType = folder; path = experimental; sourceTree = "<group>"; };
 		944A6E12299F39D30032C2E3 /* permission */ = {isa = PBXFileReference; lastKnownFileType = folder; path = permission; sourceTree = "<group>"; };
 		944A6E38299F46270032C2E3 /* MainView.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MainView.swift; sourceTree = "<group>"; };
@@ -299,6 +307,8 @@
 			isa = PBXGroup;
 			children = (
 				941B03A1296FA90400CA291E /* SafariWebExtensionHandler.swift */,
+				B1000001000000000000000A /* SharedStorage.swift */,
+				B1000002000000000000000A /* SharedKeychain.swift */,
 			);
 			path = "Shared (Extension)";
 			sourceTree = "<group>";
@@ -354,6 +364,7 @@
 			isa = PBXGroup;
 			children = (
 				941B03BC296FA90400CA291E /* Info.plist */,
+				B1000005000000000000000A /* nostrkey.entitlements */,
 			);
 			path = "iOS (App)";
 			sourceTree = "<group>";
@@ -370,6 +381,7 @@
 			isa = PBXGroup;
 			children = (
 				941B03D2296FA90400CA291E /* Info.plist */,
+				B1000006000000000000000A /* nostrkey.entitlements */,
 			);
 			path = "iOS (Extension)";
 			sourceTree = "<group>";
@@ -673,6 +685,8 @@
 			buildActionMask = 2147483647;
 			files = (
 				941B03EA296FA90400CA291E /* SafariWebExtensionHandler.swift in Sources */,
+				B1000003000000000000000A /* SharedStorage.swift in Sources */,
+				B1000004000000000000000A /* SharedKeychain.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -681,6 +695,8 @@
 			buildActionMask = 2147483647;
 			files = (
 				941B03EB296FA90400CA291E /* SafariWebExtensionHandler.swift in Sources */,
+				B1000003000000000000000B /* SharedStorage.swift in Sources */,
+				B1000004000000000000000B /* SharedKeychain.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -833,6 +849,7 @@
 		941B03FF296FA90400CA291E /* Debug */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				CODE_SIGN_ENTITLEMENTS = "iOS (Extension)/nostrkey.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 5.0.0;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -863,6 +880,7 @@
 		941B0400296FA90400CA291E /* Release */ = {
 			isa = XCBuildConfiguration;
 			buildSettings = {
+				CODE_SIGN_ENTITLEMENTS = "iOS (Extension)/nostrkey.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 5.0.0;
 				GENERATE_INFOPLIST_FILE = YES;
@@ -897,6 +915,7 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				ASSETCATALOG_COMPILER_INCLUDE_ALL_APPICON_ASSETS = YES;
+				CODE_SIGN_ENTITLEMENTS = "iOS (App)/nostrkey.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 5.0.0;
 				DEVELOPMENT_TEAM = H48PW6TC25;
@@ -940,6 +959,7 @@
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
 				ASSETCATALOG_COMPILER_INCLUDE_ALL_APPICON_ASSETS = YES;
+				CODE_SIGN_ENTITLEMENTS = "iOS (App)/nostrkey.entitlements";
 				CODE_SIGN_STYLE = Automatic;
 				CURRENT_PROJECT_VERSION = 5.0.0;
 				DEVELOPMENT_TEAM = H48PW6TC25;
diff --git a/apple/Shared (Extension)/SafariWebExtensionHandler.swift b/apple/Shared (Extension)/SafariWebExtensionHandler.swift
@@ -17,10 +17,44 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
         let message = item.userInfo?[SFExtensionMessageKey]
         os_log(.default, "Received message from browser.runtime.sendNativeMessage: %@", message as! CVarArg)
 
+        // Check if the message contains a recognized action
+        if let dict = message as? [String: Any],
+           let action = dict["action"] as? String {
+            switch action {
+            case "getSharedProfiles":
+                handleGetSharedProfiles(context: context)
+                return
+            default:
+                break
+            }
+        }
+
+        // Legacy echo behavior
         let response = NSExtensionItem()
         response.userInfo = [ SFExtensionMessageKey: [ "Response to": message ] ]
 
         context.completeRequest(returningItems: [response], completionHandler: nil)
     }
 
+    /// Read profiles from the App Group shared container and attach private keys
+    /// from the shared Keychain.
+    private func handleGetSharedProfiles(context: NSExtensionContext) {
+        let profiles = SharedStorage.shared.loadProfiles()
+
+        // Attach private keys from shared Keychain
+        var fullProfiles: [[String: Any]] = []
+        for var profile in profiles {
+            if let id = profile["id"] as? String {
+                if let privKey = SharedKeychain.shared.loadPrivateKey(profileId: id) {
+                    profile["privKey"] = privKey
+                }
+            }
+            fullProfiles.append(profile)
+        }
+
+        let response = NSExtensionItem()
+        response.userInfo = [SFExtensionMessageKey: ["profiles": fullProfiles]]
+        context.completeRequest(returningItems: [response], completionHandler: nil)
+    }
+
 }
diff --git a/apple/Shared (Extension)/SharedKeychain.swift b/apple/Shared (Extension)/SharedKeychain.swift
@@ -0,0 +1,95 @@
+import Foundation
+import Security
+
+/// Keychain wrapper using a shared access group for App Groups.
+/// Stores private keys (nsec/hex) per profile ID, accessible by both the iOS app
+/// and the Safari extension.
+final class SharedKeychain {
+    static let shared = SharedKeychain()
+
+    private let accessGroup = "H48PW6TC25.group.com.nostrkey"
+    private let servicePrefix = "nostrkey.nsec."
+
+    private init() {}
+
+    /// Store a private key for a given profile ID.
+    func savePrivateKey(profileId: String, privKey: String) {
+        let service = servicePrefix + profileId
+        guard let data = privKey.data(using: .utf8) else { return }
+
+        // Delete existing item first (update = delete + add)
+        deletePrivateKey(profileId: profileId)
+
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccessGroup as String: accessGroup,
+            kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+            kSecValueData as String: data
+        ]
+
+        SecItemAdd(query as CFDictionary, nil)
+    }
+
+    /// Retrieve the private key for a given profile ID.
+    func loadPrivateKey(profileId: String) -> String? {
+        let service = servicePrefix + profileId
+
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccessGroup as String: accessGroup,
+            kSecReturnData as String: true,
+            kSecMatchLimit as String: kSecMatchLimitOne
+        ]
+
+        var result: AnyObject?
+        let status = SecItemCopyMatching(query as CFDictionary, &result)
+
+        guard status == errSecSuccess,
+              let data = result as? Data,
+              let key = String(data: data, encoding: .utf8) else {
+            return nil
+        }
+        return key
+    }
+
+    /// Delete the private key for a given profile ID.
+    func deletePrivateKey(profileId: String) {
+        let service = servicePrefix + profileId
+
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: service,
+            kSecAttrAccessGroup as String: accessGroup
+        ]
+
+        SecItemDelete(query as CFDictionary)
+    }
+
+    /// List all profile IDs that have stored private keys.
+    func listProfileIds() -> [String] {
+        let query: [String: Any] = [
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrAccessGroup as String: accessGroup,
+            kSecReturnAttributes as String: true,
+            kSecMatchLimit as String: kSecMatchLimitAll
+        ]
+
+        var result: AnyObject?
+        let status = SecItemCopyMatching(query as CFDictionary, &result)
+
+        guard status == errSecSuccess,
+              let items = result as? [[String: Any]] else {
+            return []
+        }
+
+        return items.compactMap { item in
+            guard let service = item[kSecAttrService as String] as? String,
+                  service.hasPrefix(servicePrefix) else {
+                return nil
+            }
+            return String(service.dropFirst(servicePrefix.count))
+        }
+    }
+}
diff --git a/apple/Shared (Extension)/SharedStorage.swift b/apple/Shared (Extension)/SharedStorage.swift
@@ -0,0 +1,37 @@
+import Foundation
+
+/// Wrapper around the App Group shared UserDefaults container.
+/// Stores profile metadata (name, pubKey/npub, active, relays) — never private keys.
+final class SharedStorage {
+    static let shared = SharedStorage()
+
+    private let suiteName = "group.com.nostrkey"
+    private let profilesKey = "nostrkey_shared_profiles"
+
+    private var defaults: UserDefaults? {
+        UserDefaults(suiteName: suiteName)
+    }
+
+    private init() {}
+
+    /// Save profile metadata to the shared container.
+    /// Private keys must NOT be included — use SharedKeychain instead.
+    func saveProfiles(_ profiles: [[String: Any]]) {
+        guard let defaults = defaults else { return }
+        if let data = try? JSONSerialization.data(withJSONObject: profiles),
+           let json = String(data: data, encoding: .utf8) {
+            defaults.set(json, forKey: profilesKey)
+        }
+    }
+
+    /// Load profile metadata from the shared container.
+    func loadProfiles() -> [[String: Any]] {
+        guard let defaults = defaults,
+              let json = defaults.string(forKey: profilesKey),
+              let data = json.data(using: .utf8),
+              let array = try? JSONSerialization.jsonObject(with: data) as? [[String: Any]] else {
+            return []
+        }
+        return array
+    }
+}
diff --git a/apple/iOS (App)/nostrkey.entitlements b/apple/iOS (App)/nostrkey.entitlements
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>group.com.nostrkey</string>
+	</array>
+</dict>
+</plist>
diff --git a/apple/iOS (Extension)/nostrkey.entitlements b/apple/iOS (Extension)/nostrkey.entitlements
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.application-groups</key>
+	<array>
+		<string>group.com.nostrkey</string>
+	</array>
+	<key>keychain-access-groups</key>
+	<array>
+		<string>$(AppIdentifierPrefix)group.com.nostrkey</string>
+	</array>
+</dict>
+</plist>
diff --git a/src/background.js b/src/background.js
@@ -130,8 +130,78 @@ let blockCrossOriginFrames = true;
     } catch (e) {
         log(`[STARTUP] Platform sync init error (non-fatal): ${e.message}`);
     }
+
+    // Check for profiles shared from the iOS app via App Groups (Safari only)
+    try {
+        if (typeof browser !== 'undefined' && browser.runtime.sendNativeMessage) {
+            const response = await browser.runtime.sendNativeMessage(
+                'com.nostrkey.Extension',
+                { action: 'getSharedProfiles' }
+            );
+            if (response && response.profiles && response.profiles.length > 0) {
+                const local = await storage.get({ profiles: [] });
+                const merged = mergeSharedProfiles(local.profiles, response.profiles);
+                if (merged.changed) {
+                    await storage.set({ profiles: merged.profiles });
+                    log(`[STARTUP] Merged ${response.profiles.length} shared profile(s) from iOS app`);
+                }
+            }
+        }
+    } catch (e) {
+        // Not Safari, or shared storage unavailable — ignore
+        log(`[STARTUP] Shared profiles check skipped: ${e.message}`);
+    }
 })();
 
+/**
+ * Merge profiles shared from the iOS app into the local profile list.
+ * For each shared profile, if no local profile has the same pubKey, add it.
+ * If a local profile has the same pubKey, keep the one with the newer updatedAt.
+ * @returns {{ profiles: Array, changed: boolean }}
+ */
+function mergeSharedProfiles(localProfiles, sharedProfiles) {
+    let changed = false;
+    const profiles = [...localProfiles];
+
+    for (const shared of sharedProfiles) {
+        if (!shared.pubKey) continue;
+
+        const localIndex = profiles.findIndex(p => p.pubKey === shared.pubKey);
+
+        if (localIndex === -1) {
+            // New profile from app — add it
+            profiles.push({
+                name: shared.name || 'Shared Profile',
+                privKey: shared.privKey || '',
+                pubKey: shared.pubKey,
+                hosts: {},
+                relays: shared.relays || [],
+                type: 'local',
+                updatedAt: shared.lastSyncedAt ? new Date(shared.lastSyncedAt).getTime() : Date.now(),
+            });
+            changed = true;
+        } else {
+            // Existing profile — update if shared is newer and has a key we don't
+            const local = profiles[localIndex];
+            const localTime = local.updatedAt || 0;
+            const sharedTime = shared.lastSyncedAt ? new Date(shared.lastSyncedAt).getTime() : 0;
+
+            if (sharedTime > localTime && shared.privKey && !local.privKey) {
+                profiles[localIndex] = {
+                    ...local,
+                    privKey: shared.privKey,
+                    name: shared.name || local.name,
+                    relays: shared.relays || local.relays,
+                    updatedAt: sharedTime,
+                };
+                changed = true;
+            }
+        }
+    }
+
+    return { profiles, changed };
+}
+
 /**
  * Reset the auto-lock inactivity timer.
  */
