Merge branch 'main' into translate-status

src/config.ts

@@ -1,4 +1,5 @@
 import os from 'node:os';
+import ISO6391, { LanguageCode } from 'iso-639-1';
 import * as dotenv from '@std/dotenv';
 import { getPublicKey, nip19 } from 'nostr-tools';
 import { z } from 'zod';
@@ -247,6 +248,10 @@ class Conf {
   static get zapSplitsEnabled(): boolean {
     return optionalBooleanSchema.parse(Deno.env.get('ZAP_SPLITS_ENABLED')) ?? false;
   }
+  /** Languages this server wishes to highlight. Used when querying trends.*/
+  static get preferredLanguages(): LanguageCode[] | undefined {
+    return Deno.env.get('DITTO_LANGUAGES')?.split(',')?.filter(ISO6391.validate) as LanguageCode[];
+  }
   /** Cache settings. */
   static caches = {
     /** NIP-05 cache settings. */

src/controllers/api/oauth.ts

@@ -1,14 +1,14 @@
 import { NConnectSigner, NSchema as n, NSecSigner } from '@nostrify/nostrify';
-import { bech32 } from '@scure/base';
 import { escape } from 'entities';
-import { generateSecretKey, getPublicKey } from 'nostr-tools';
+import { generateSecretKey } from 'nostr-tools';
 import { z } from 'zod';
 
 import { AppController } from '@/app.ts';
 import { Conf } from '@/config.ts';
+import { Storages } from '@/storages.ts';
 import { nostrNow } from '@/utils.ts';
 import { parseBody } from '@/utils/api.ts';
-import { Storages } from '@/storages.ts';
+import { encryptSecretKey, generateToken } from '@/utils/auth.ts';
 
 const passwordGrantSchema = z.object({
   grant_type: z.literal('password'),
@@ -82,38 +82,30 @@ async function getToken(
   { pubkey, secret, relays = [] }: { pubkey: string; secret?: string; relays?: string[] },
 ): Promise<`token1${string}`> {
   const kysely = await Storages.kysely();
-  const token = generateToken();
+  const { token, hash } = await generateToken();
 
-  const serverSeckey = generateSecretKey();
-  const serverPubkey = getPublicKey(serverSeckey);
+  const nip46Seckey = generateSecretKey();
 
   const signer = new NConnectSigner({
     pubkey,
-    signer: new NSecSigner(serverSeckey),
+    signer: new NSecSigner(nip46Seckey),
     relay: await Storages.pubsub(), // TODO: Use the relays from the request.
     timeout: 60_000,
   });
 
   await signer.connect(secret);
 
-  await kysely.insertInto('nip46_tokens').values({
-    api_token: token,
-    user_pubkey: pubkey,
-    server_seckey: serverSeckey,
-    server_pubkey: serverPubkey,
-    relays: JSON.stringify(relays),
-    connected_at: new Date(),
+  await kysely.insertInto('auth_tokens').values({
+    token_hash: hash,
+    pubkey,
+    nip46_sk_enc: await encryptSecretKey(Conf.seckey, nip46Seckey),
+    nip46_relays: relays,
+    created_at: new Date(),
   }).execute();
 
   return token;
 }
 
-/** Generate a bech32 token for the API. */
-function generateToken(): `token1${string}` {
-  const words = bech32.toWords(generateSecretKey());
-  return bech32.encode('token', words);
-}
-
 /** Display the OAuth form. */
 const oauthController: AppController = (c) => {
   const encodedUri = c.req.query('redirect_uri');

src/controllers/api/statuses.ts

@@ -88,14 +88,28 @@ const createStatusController: AppController = async (c) => {
       return c.json({ error: 'Original post not found.' }, 404);
     }
 
-    const root = ancestor.tags.find((tag) => tag[0] === 'e' && tag[3] === 'root')?.[1] ?? ancestor.id;
+    const rootId = ancestor.tags.find((tag) => tag[0] === 'e' && tag[3] === 'root')?.[1] ?? ancestor.id;
+    const root = rootId === ancestor.id ? ancestor : await getEvent(rootId);
 
-    tags.push(['e', root, Conf.relay, 'root']);
-    tags.push(['e', data.in_reply_to_id, Conf.relay, 'reply']);
+    if (root) {
+      tags.push(['e', root.id, Conf.relay, 'root', root.pubkey]);
+    } else {
+      tags.push(['e', rootId, Conf.relay, 'root']);
+    }
+
+    tags.push(['e', ancestor.id, Conf.relay, 'reply', ancestor.pubkey]);
   }
 
+  let quoted: DittoEvent | undefined;
+
   if (data.quote_id) {
-    tags.push(['q', data.quote_id]);
+    quoted = await getEvent(data.quote_id);
+
+    if (!quoted) {
+      return c.json({ error: 'Quoted post not found.' }, 404);
+    }
+
+    tags.push(['q', quoted.id, Conf.relay, '', quoted.pubkey]);
   }
 
   if (data.sensitive && data.spoiler_text) {
@@ -143,7 +157,7 @@ const createStatusController: AppController = async (c) => {
       }
 
       try {
-        return `nostr:${nip19.npubEncode(pubkey)}`;
+        return `nostr:${nip19.nprofileEncode({ pubkey, relays: [Conf.relay] })}`;
       } catch {
         return match;
       }
@@ -159,7 +173,7 @@ const createStatusController: AppController = async (c) => {
   }
 
   for (const pubkey of pubkeys) {
-    tags.push(['p', pubkey]);
+    tags.push(['p', pubkey, Conf.relay]);
   }
 
   for (const link of linkify.find(data.status ?? '')) {
@@ -175,10 +189,16 @@ const createStatusController: AppController = async (c) => {
     .map(({ url }) => url)
     .filter((url): url is string => Boolean(url));
 
-  const quoteCompat = data.quote_id ? `\n\nnostr:${nip19.noteEncode(data.quote_id)}` : '';
+  const quoteCompat = quoted
+    ? `\n\nnostr:${
+      nip19.neventEncode({ id: quoted.id, kind: quoted.kind, author: quoted.pubkey, relays: [Conf.relay] })
+    }`
+    : '';
+
   const mediaCompat = mediaUrls.length ? `\n\n${mediaUrls.join('\n')}` : '';
 
-  const author = await getAuthor(await c.get('signer')?.getPublicKey()!);
+  const pubkey = await c.get('signer')?.getPublicKey()!;
+  const author = pubkey ? await getAuthor(pubkey) : undefined;
 
   if (Conf.zapSplitsEnabled) {
     const meta = n.json().pipe(n.metadata()).catch({}).parse(author?.content);
@@ -191,7 +211,7 @@ const createStatusController: AppController = async (c) => {
         tags.push(['zap', pubkey, Conf.relay, dittoZapSplit[pubkey].weight.toString(), dittoZapSplit[pubkey].message]);
       }
       if (totalSplit) {
-        tags.push(['zap', author?.pubkey as string, Conf.relay, Math.max(0, 100 - totalSplit).toString()]);
+        tags.push(['zap', pubkey, Conf.relay, Math.max(0, 100 - totalSplit).toString()]);
       }
     }
   }
@@ -223,7 +243,7 @@ const deleteStatusController: AppController = async (c) => {
     if (event.pubkey === pubkey) {
       await createEvent({
         kind: 5,
-        tags: [['e', id, Conf.relay]],
+        tags: [['e', id, Conf.relay, '', pubkey]],
       }, c);
 
       const author = await getAuthor(event.pubkey);
@@ -281,7 +301,7 @@ const favouriteController: AppController = async (c) => {
       kind: 7,
       content: '+',
       tags: [
-        ['e', target.id, Conf.relay],
+        ['e', target.id, Conf.relay, '', target.pubkey],
         ['p', target.pubkey, Conf.relay],
       ],
     }, c);
@@ -324,7 +344,7 @@ const reblogStatusController: AppController = async (c) => {
   const reblogEvent = await createEvent({
     kind: 6,
     tags: [
-      ['e', event.id, Conf.relay],
+      ['e', event.id, Conf.relay, '', event.pubkey],
       ['p', event.pubkey, Conf.relay],
     ],
   }, c);
@@ -361,7 +381,7 @@ const unreblogStatusController: AppController = async (c) => {
 
   await createEvent({
     kind: 5,
-    tags: [['e', repostEvent.id, Conf.relay]],
+    tags: [['e', repostEvent.id, Conf.relay, '', repostEvent.pubkey]],
   }, c);
 
   return c.json(await renderStatus(event, { viewerPubkey: pubkey }));
@@ -413,7 +433,7 @@ const bookmarkController: AppController = async (c) => {
   if (event) {
     await updateListEvent(
       { kinds: [10003], authors: [pubkey], limit: 1 },
-      (tags) => addTag(tags, ['e', eventId, Conf.relay]),
+      (tags) => addTag(tags, ['e', event.id, Conf.relay, '', event.pubkey]),
       c,
     );
 
@@ -440,7 +460,7 @@ const unbookmarkController: AppController = async (c) => {
   if (event) {
     await updateListEvent(
       { kinds: [10003], authors: [pubkey], limit: 1 },
-      (tags) => deleteTag(tags, ['e', eventId, Conf.relay]),
+      (tags) => deleteTag(tags, ['e', event.id, Conf.relay, '', event.pubkey]),
       c,
     );
 
@@ -467,7 +487,7 @@ const pinController: AppController = async (c) => {
   if (event) {
     await updateListEvent(
       { kinds: [10001], authors: [pubkey], limit: 1 },
-      (tags) => addTag(tags, ['e', eventId, Conf.relay]),
+      (tags) => addTag(tags, ['e', event.id, Conf.relay, '', event.pubkey]),
       c,
     );
 
@@ -496,7 +516,7 @@ const unpinController: AppController = async (c) => {
   if (event) {
     await updateListEvent(
       { kinds: [10001], authors: [pubkey], limit: 1 },
-      (tags) => deleteTag(tags, ['e', eventId, Conf.relay]),
+      (tags) => deleteTag(tags, ['e', event.id, Conf.relay, '', event.pubkey]),
       c,
     );
 
@@ -540,8 +560,8 @@ const zapController: AppController = async (c) => {
     lnurl = getLnurl(meta);
     if (target && lnurl) {
       tags.push(
-        ['e', target.id, Conf.relay],
-        ['p', target.pubkey],
+        ['e', target.id, Conf.relay, '', target.pubkey],
+        ['p', target.pubkey, Conf.relay],
         ['amount', amount.toString()],
         ['relays', Conf.relay],
         ['lnurl', lnurl],
@@ -553,7 +573,7 @@ const zapController: AppController = async (c) => {
     lnurl = getLnurl(meta);
     if (target && lnurl) {
       tags.push(
-        ['p', target.pubkey],
+        ['p', target.pubkey, Conf.relay],
         ['amount', amount.toString()],
         ['relays', Conf.relay],
         ['lnurl', lnurl],

src/controllers/api/streaming.ts

@@ -14,6 +14,7 @@ import { MuteListPolicy } from '@/policies/MuteListPolicy.ts';
 import { getFeedPubkeys } from '@/queries.ts';
 import { hydrateEvents } from '@/storages/hydrate.ts';
 import { Storages } from '@/storages.ts';
+import { getTokenHash } from '@/utils/auth.ts';
 import { bech32ToPubkey, Time } from '@/utils.ts';
 import { renderReblog, renderStatus } from '@/views/mastodon/statuses.ts';
 import { renderNotification } from '@/views/mastodon/notifications.ts';
@@ -233,14 +234,15 @@ async function topicToFilter(
 async function getTokenPubkey(token: string): Promise<string | undefined> {
   if (token.startsWith('token1')) {
     const kysely = await Storages.kysely();
+    const tokenHash = await getTokenHash(token as `token1${string}`);
 
-    const { user_pubkey } = await kysely
-      .selectFrom('nip46_tokens')
-      .select(['user_pubkey', 'server_seckey', 'relays'])
-      .where('api_token', '=', token)
+    const { pubkey } = await kysely
+      .selectFrom('auth_tokens')
+      .select('pubkey')
+      .where('token_hash', '=', tokenHash)
       .executeTakeFirstOrThrow();
 
-    return user_pubkey;
+    return pubkey;
   } else {
     return bech32ToPubkey(token);
   }

src/db/DittoTables.ts

@@ -4,7 +4,7 @@ import { NPostgresSchema } from '@nostrify/db';
 
 export interface DittoTables extends NPostgresSchema {
   nostr_events: NostrEventsRow;
-  nip46_tokens: NIP46TokenRow;
+  auth_tokens: AuthTokenRow;
   author_stats: AuthorStatsRow;
   event_stats: EventStatsRow;
   pubkey_domains: PubkeyDomainRow;
@@ -33,13 +33,12 @@ interface EventStatsRow {
   zaps_amount: number;
 }
 
-interface NIP46TokenRow {
-  api_token: string;
-  user_pubkey: string;
-  server_seckey: Uint8Array;
-  server_pubkey: string;
-  relays: string;
-  connected_at: Date;
+interface AuthTokenRow {
+  token_hash: Uint8Array;
+  pubkey: string;
+  nip46_sk_enc: Uint8Array;
+  nip46_relays: string[];
+  created_at: Date;
 }
 
 interface PubkeyDomainRow {

src/db/migrations/037_auth_tokens.ts

@@ -0,0 +1,62 @@
+import { Kysely, sql } from 'kysely';
+
+import { encryptSecretKey, getTokenHash } from '@/utils/auth.ts';
+import { Conf } from '@/config.ts';
+
+interface DB {
+  nip46_tokens: {
+    api_token: `token1${string}`;
+    user_pubkey: string;
+    server_seckey: Uint8Array;
+    server_pubkey: string;
+    relays: string;
+    connected_at: Date;
+  };
+  auth_tokens: {
+    token_hash: Uint8Array;
+    pubkey: string;
+    nip46_sk_enc: Uint8Array;
+    nip46_relays: string[];
+    created_at: Date;
+  };
+}
+
+export async function up(db: Kysely<DB>): Promise<void> {
+  await db.schema
+    .createTable('auth_tokens')
+    .addColumn('token_hash', 'bytea', (col) => col.primaryKey())
+    .addColumn('pubkey', 'char(64)', (col) => col.notNull())
+    .addColumn('nip46_sk_enc', 'bytea', (col) => col.notNull())
+    .addColumn('nip46_relays', 'jsonb', (col) => col.defaultTo('[]'))
+    .addColumn('created_at', 'timestamp', (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`))
+    .execute();
+
+  // There are probably not that many tokens in the database yet, so this should be fine.
+  const tokens = await db.selectFrom('nip46_tokens').selectAll().execute();
+
+  for (const token of tokens) {
+    await db.insertInto('auth_tokens').values({
+      token_hash: await getTokenHash(token.api_token),
+      pubkey: token.user_pubkey,
+      nip46_sk_enc: await encryptSecretKey(Conf.seckey, token.server_seckey),
+      nip46_relays: JSON.parse(token.relays),
+      created_at: token.connected_at,
+    }).execute();
+  }
+
+  await db.schema.dropTable('nip46_tokens').execute();
+}
+
+export async function down(db: Kysely<DB>): Promise<void> {
+  await db.schema.dropTable('auth_tokens').execute();
+
+  await db.schema
+    .createTable('nip46_tokens')
+    .addColumn('api_token', 'text', (col) => col.primaryKey().unique().notNull())
+    .addColumn('user_pubkey', 'text', (col) => col.notNull())
+    .addColumn('server_seckey', 'bytea', (col) => col.notNull())
+    .addColumn('server_pubkey', 'text', (col) => col.notNull())
+    .addColumn('relays', 'text', (col) => col.defaultTo('[]'))
+    .addColumn('connected_at', 'timestamp', (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`))
+    .execute();
+}

src/middleware/signerMiddleware.ts

@@ -3,9 +3,11 @@ import { NSecSigner } from '@nostrify/nostrify';
 import { nip19 } from 'nostr-tools';
 
 import { AppMiddleware } from '@/app.ts';
+import { Conf } from '@/config.ts';
 import { ConnectSigner } from '@/signers/ConnectSigner.ts';
 import { ReadOnlySigner } from '@/signers/ReadOnlySigner.ts';
 import { Storages } from '@/storages.ts';
+import { decryptSecretKey, getTokenHash } from '@/utils/auth.ts';
 
 /** We only accept "Bearer" type. */
 const BEARER_REGEX = new RegExp(`^Bearer (${nip19.BECH32_REGEX.source})$`);
@@ -21,14 +23,17 @@ export const signerMiddleware: AppMiddleware = async (c, next) => {
     if (bech32.startsWith('token1')) {
       try {
         const kysely = await Storages.kysely();
+        const tokenHash = await getTokenHash(bech32 as `token1${string}`);
 
-        const { user_pubkey, server_seckey, relays } = await kysely
-          .selectFrom('nip46_tokens')
-          .select(['user_pubkey', 'server_seckey', 'relays'])
-          .where('api_token', '=', bech32)
+        const { pubkey, nip46_sk_enc, nip46_relays } = await kysely
+          .selectFrom('auth_tokens')
+          .select(['pubkey', 'nip46_sk_enc', 'nip46_relays'])
+          .where('token_hash', '=', tokenHash)
           .executeTakeFirstOrThrow();
 
-        c.set('signer', new ConnectSigner(user_pubkey, new NSecSigner(server_seckey), JSON.parse(relays)));
+        const nep46Seckey = await decryptSecretKey(Conf.seckey, nip46_sk_enc);
+
+        c.set('signer', new ConnectSigner(pubkey, new NSecSigner(nep46Seckey), nip46_relays));
       } catch {
         throw new HTTPException(401);
       }

src/trends.test.ts

@@ -0,0 +1,105 @@
+import { assertEquals } from '@std/assert';
+import { generateSecretKey, NostrEvent } from 'nostr-tools';
+
+import { getTrendingTagValues } from '@/trends.ts';
+import { createTestDB, genEvent } from '@/test.ts';
+
+Deno.test("getTrendingTagValues(): 'e' tag and WITHOUT language parameter", async () => {
+  await using db = await createTestDB();
+
+  const events: NostrEvent[] = [];
+
+  let sk = generateSecretKey();
+  const post1 = genEvent({ kind: 1, content: 'SHOW ME THE MONEY' }, sk);
+  const numberOfAuthorsWhoLikedPost1 = 100;
+  const post1multiplier = 2;
+  const post1uses = numberOfAuthorsWhoLikedPost1 * post1multiplier;
+  for (let i = 0; i < numberOfAuthorsWhoLikedPost1; i++) {
+    const sk = generateSecretKey();
+    events.push(
+      genEvent({ kind: 7, content: '+', tags: Array(post1multiplier).fill([...['e', post1.id]]) }, sk),
+    );
+  }
+  events.push(post1);
+
+  sk = generateSecretKey();
+  const post2 = genEvent({ kind: 1, content: 'Ithaca' }, sk);
+  const numberOfAuthorsWhoLikedPost2 = 100;
+  const post2multiplier = 1;
+  const post2uses = numberOfAuthorsWhoLikedPost2 * post2multiplier;
+  for (let i = 0; i < numberOfAuthorsWhoLikedPost2; i++) {
+    const sk = generateSecretKey();
+    events.push(
+      genEvent({ kind: 7, content: '+', tags: Array(post2multiplier).fill([...['e', post2.id]]) }, sk),
+    );
+  }
+  events.push(post2);
+
+  for (const event of events) {
+    await db.store.event(event);
+  }
+
+  const trends = await getTrendingTagValues(db.kysely, ['e'], { kinds: [1, 7] });
+
+  const expected = [{ value: post1.id, authors: numberOfAuthorsWhoLikedPost1, uses: post1uses }, {
+    value: post2.id,
+    authors: numberOfAuthorsWhoLikedPost2,
+    uses: post2uses,
+  }];
+
+  assertEquals(trends, expected);
+});
+
+Deno.test("getTrendingTagValues(): 'e' tag and WITH language parameter", async () => {
+  await using db = await createTestDB();
+
+  const events: NostrEvent[] = [];
+
+  let sk = generateSecretKey();
+  const post1 = genEvent({ kind: 1, content: 'Irei cortar o cabelo.' }, sk);
+  const numberOfAuthorsWhoLikedPost1 = 100;
+  const post1multiplier = 2;
+  const post1uses = numberOfAuthorsWhoLikedPost1 * post1multiplier;
+  for (let i = 0; i < numberOfAuthorsWhoLikedPost1; i++) {
+    const sk = generateSecretKey();
+    events.push(
+      genEvent({ kind: 7, content: '+', tags: Array(post1multiplier).fill([...['e', post1.id]]) }, sk),
+    );
+  }
+  events.push(post1);
+
+  sk = generateSecretKey();
+  const post2 = genEvent({ kind: 1, content: 'Ithaca' }, sk);
+  const numberOfAuthorsWhoLikedPost2 = 100;
+  const post2multiplier = 1;
+  for (let i = 0; i < numberOfAuthorsWhoLikedPost2; i++) {
+    const sk = generateSecretKey();
+    events.push(
+      genEvent({ kind: 7, content: '+', tags: Array(post2multiplier).fill([...['e', post2.id]]) }, sk),
+    );
+  }
+  events.push(post2);
+
+  for (const event of events) {
+    await db.store.event(event);
+  }
+
+  await db.kysely.updateTable('nostr_events')
+    .set('language', 'pt')
+    .where('id', '=', post1.id)
+    .execute();
+
+  await db.kysely.updateTable('nostr_events')
+    .set('language', 'en')
+    .where('id', '=', post2.id)
+    .execute();
+
+  const languagesIds = (await db.store.query([{ search: 'language:pt' }])).map((event) => event.id);
+
+  const trends = await getTrendingTagValues(db.kysely, ['e'], { kinds: [1, 7] }, languagesIds);
+
+  // portuguese post
+  const expected = [{ value: post1.id, authors: numberOfAuthorsWhoLikedPost1, uses: post1uses }];
+
+  assertEquals(trends, expected);
+});

src/trends.ts

@@ -19,6 +19,8 @@ export async function getTrendingTagValues(
   tagNames: string[],
   /** Filter of eligible events. */
   filter: NostrFilter,
+  /** If present, only tag values in this list are permitted to trend. */
+  values?: string[],
 ): Promise<{ value: string; authors: number; uses: number }[]> {
   let query = kysely
     .selectFrom([
@@ -33,7 +35,7 @@ export async function getTrendingTagValues(
     ])
     .where('kv.key', '=', (eb) => eb.fn.any(eb.val(tagNames)))
     .groupBy((eb) => eb.fn<string>('lower', ['element.value']))
-    .orderBy((eb) => eb.fn.agg('count', ['nostr_events.pubkey']).distinct(), 'desc');
+    .orderBy('authors desc').orderBy('uses desc');
 
   if (filter.kinds) {
     query = query.where('nostr_events.kind', '=', ({ fn, val }) => fn.any(val(filter.kinds)));
@@ -47,6 +49,9 @@ export async function getTrendingTagValues(
   if (typeof filter.until === 'number') {
     query = query.where('nostr_events.created_at', '<=', filter.until);
   }
+  if (values) {
+    query = query.where('element.value', 'in', values);
+  }
   if (typeof filter.limit === 'number') {
     query = query.limit(filter.limit);
   }
@@ -68,6 +73,7 @@ export async function updateTrendingTags(
   limit: number,
   extra = '',
   aliases?: string[],
+  values?: string[],
 ) {
   console.info(`Updating trending ${l}...`);
   const kysely = await Storages.kysely();
@@ -84,8 +90,9 @@ export async function updateTrendingTags(
       since: yesterday,
       until: now,
       limit,
-    });
+    }, values);
 
+    console.log(trends);
     if (!trends.length) {
       console.info(`No trending ${l} found. Skipping.`);
       return;
@@ -122,8 +129,31 @@ export function updateTrendingZappedEvents(): Promise<void> {
 }
 
 /** Update trending events. */
-export function updateTrendingEvents(): Promise<void> {
-  return updateTrendingTags('#e', 'e', [1, 6, 7, 9735], 40, Conf.relay, ['q']);
+export async function updateTrendingEvents(): Promise<void> {
+  const results: Promise<void>[] = [
+    updateTrendingTags('#e', 'e', [1, 6, 7, 9735], 40, Conf.relay, ['q']),
+  ];
+
+  const kysely = await Storages.kysely();
+
+  for (const language of Conf.preferredLanguages ?? []) {
+    const yesterday = Math.floor((Date.now() - Time.days(1)) / 1000);
+    const now = Math.floor(Date.now() / 1000);
+
+    const rows = await kysely
+      .selectFrom('nostr_events')
+      .select('nostr_events.id')
+      .where('nostr_events.language', '=', language)
+      .where('nostr_events.created_at', '>=', yesterday)
+      .where('nostr_events.created_at', '<=', now)
+      .execute();
+
+    const ids = rows.map((row) => row.id);
+
+    results.push(updateTrendingTags(`#e.${language}`, 'e', [1, 6, 7, 9735], 40, Conf.relay, ['q'], ids));
+  }
+
+  await Promise.allSettled(results);
 }
 
 /** Update trending hashtags. */

src/utils.ts

@@ -64,20 +64,6 @@ function findTag(tags: string[][], name: string): string[] | undefined {
   return tags.find((tag) => tag[0] === name);
 }
 
-/**
- * Get sha256 hash (hex) of some text.
- * https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest#converting_a_digest_to_a_hex_string
- */
-async function sha256(message: string): Promise<string> {
-  const msgUint8 = new TextEncoder().encode(message);
-  const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-  const hashHex = hashArray
-    .map((b) => b.toString(16).padStart(2, '0'))
-    .join('');
-  return hashHex;
-}
-
 /** Test whether the value is a Nostr ID. */
 function isNostrId(value: unknown): boolean {
   return n.id().safeParse(value).success;
@@ -88,6 +74,6 @@ function isURL(value: unknown): boolean {
   return z.string().url().safeParse(value).success;
 }
 
-export { bech32ToPubkey, eventAge, findTag, isNostrId, isURL, type Nip05, nostrDate, nostrNow, parseNip05, sha256 };
+export { bech32ToPubkey, eventAge, findTag, isNostrId, isURL, type Nip05, nostrDate, nostrNow, parseNip05 };
 
 export { Time } from '@/utils/time.ts';

src/utils/auth.bench.ts

@@ -0,0 +1,28 @@
+import { generateSecretKey } from 'nostr-tools';
+
+import { decryptSecretKey, encryptSecretKey, generateToken, getTokenHash } from '@/utils/auth.ts';
+
+Deno.bench('generateToken', async () => {
+  await generateToken();
+});
+
+Deno.bench('getTokenHash', async (b) => {
+  const { token } = await generateToken();
+  b.start();
+  await getTokenHash(token);
+});
+
+Deno.bench('encryptSecretKey', async (b) => {
+  const sk = generateSecretKey();
+  const decrypted = generateSecretKey();
+  b.start();
+  await encryptSecretKey(sk, decrypted);
+});
+
+Deno.bench('decryptSecretKey', async (b) => {
+  const sk = generateSecretKey();
+  const decrypted = generateSecretKey();
+  const encrypted = await encryptSecretKey(sk, decrypted);
+  b.start();
+  await decryptSecretKey(sk, encrypted);
+});

src/utils/auth.test.ts

@@ -0,0 +1,29 @@
+import { assertEquals } from '@std/assert';
+import { decodeHex, encodeHex } from '@std/encoding/hex';
+import { generateSecretKey } from 'nostr-tools';
+
+import { decryptSecretKey, encryptSecretKey, generateToken, getTokenHash } from '@/utils/auth.ts';
+
+Deno.test('generateToken', async () => {
+  const sk = decodeHex('a0968751df8fd42f362213f08751911672f2a037113b392403bbb7dd31b71c95');
+
+  const { token, hash } = await generateToken(sk);
+
+  assertEquals(token, 'token15ztgw5wl3l2z7d3zz0cgw5v3zee09gphzyanjfqrhwma6vdhrj2sauwknd');
+  assertEquals(encodeHex(hash), 'ab4c4ead4d1c72a38fffd45b999937b7e3f25f867b19aaf252df858e77b66a8a');
+});
+
+Deno.test('getTokenHash', async () => {
+  const hash = await getTokenHash('token15ztgw5wl3l2z7d3zz0cgw5v3zee09gphzyanjfqrhwma6vdhrj2sauwknd');
+  assertEquals(encodeHex(hash), 'ab4c4ead4d1c72a38fffd45b999937b7e3f25f867b19aaf252df858e77b66a8a');
+});
+
+Deno.test('encryptSecretKey & decryptSecretKey', async () => {
+  const sk = generateSecretKey();
+  const data = generateSecretKey();
+
+  const encrypted = await encryptSecretKey(sk, data);
+  const decrypted = await decryptSecretKey(sk, encrypted);
+
+  assertEquals(encodeHex(decrypted), encodeHex(data));
+});

src/utils/auth.ts

@@ -0,0 +1,54 @@
+import { bech32 } from '@scure/base';
+import { generateSecretKey } from 'nostr-tools';
+
+/**
+ * Generate an auth token for the API.
+ *
+ * Returns a bech32 encoded API token and the SHA-256 hash of the bytes.
+ * The token should be presented to the user, but only the hash should be stored in the database.
+ */
+export async function generateToken(sk = generateSecretKey()): Promise<{ token: `token1${string}`; hash: Uint8Array }> {
+  const words = bech32.toWords(sk);
+  const token = bech32.encode('token', words);
+
+  const buffer = await crypto.subtle.digest('SHA-256', sk);
+  const hash = new Uint8Array(buffer);
+
+  return { token, hash };
+}
+
+/**
+ * Get the SHA-256 hash of an API token.
+ * First decodes from bech32 then hashes the bytes.
+ * Used to identify the user in the database by the hash of their token.
+ */
+export async function getTokenHash(token: `token1${string}`): Promise<Uint8Array> {
+  const { bytes: sk } = bech32.decodeToBytes(token);
+  const buffer = await crypto.subtle.digest('SHA-256', sk);
+
+  return new Uint8Array(buffer);
+}
+
+/**
+ * Encrypt a secret key with AES-GCM.
+ * This function is used to store the secret key in the database.
+ */
+export async function encryptSecretKey(sk: Uint8Array, decrypted: Uint8Array): Promise<Uint8Array> {
+  const secretKey = await crypto.subtle.importKey('raw', sk, { name: 'AES-GCM' }, false, ['encrypt']);
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const buffer = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, secretKey, decrypted);
+
+  return new Uint8Array([...iv, ...new Uint8Array(buffer)]);
+}
+
+/**
+ * Decrypt a secret key with AES-GCM.
+ * This function is used to retrieve the secret key from the database.
+ */
+export async function decryptSecretKey(sk: Uint8Array, encrypted: Uint8Array): Promise<Uint8Array> {
+  const secretKey = await crypto.subtle.importKey('raw', sk, { name: 'AES-GCM' }, false, ['decrypt']);
+  const iv = encrypted.slice(0, 12);
+  const buffer = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, secretKey, encrypted.slice(12));
+
+  return new Uint8Array(buffer);
+}

src/utils/lnurl.ts

@@ -1,5 +1,5 @@
 import { LNURL, LNURLDetails } from '@nostrify/nostrify/ln';
-import Debug from '@soapbox/stickynotes/debug';
+import { Stickynotes } from '@soapbox/stickynotes';
 
 import { cachedLnurlsSizeGauge } from '@/metrics.ts';
 import { SimpleLRU } from '@/utils/SimpleLRU.ts';
@@ -7,17 +7,17 @@ import { Time } from '@/utils/time.ts';
 import { fetchWorker } from '@/workers/fetch.ts';
 import { NostrEvent } from '@nostrify/nostrify';
 
-const debug = Debug('ditto:lnurl');
+const console = new Stickynotes('ditto:lnurl');
 
 const lnurlCache = new SimpleLRU<string, LNURLDetails>(
   async (lnurl, { signal }) => {
-    debug(`Lookup ${lnurl}`);
+    console.debug(`Lookup ${lnurl}`);
     try {
       const result = await LNURL.lookup(lnurl, { fetch: fetchWorker, signal });
-      debug(`Found: ${lnurl}`);
+      console.debug(`Found: ${lnurl}`);
       return result;
     } catch (e) {
-      debug(`Not found: ${lnurl}`);
+      console.debug(`Not found: ${lnurl}`);
       throw e;
     }
   },

src/utils/media.test.ts

@@ -7,6 +7,10 @@ Deno.test('getUrlMediaType', () => {
   assertEquals(getUrlMediaType('https://example.com/index.html'), 'text/html');
   assertEquals(getUrlMediaType('https://example.com/yolo'), undefined);
   assertEquals(getUrlMediaType('https://example.com/'), undefined);
+  assertEquals(
+    getUrlMediaType('https://gitlab.com/soapbox-pub/nostrify/-/blob/main/packages/policies/WoTPolicy.ts'),
+    'application/typescript',
+  );
 });
 
 Deno.test('isPermittedMediaType', () => {

src/utils/media.ts

@@ -1,4 +1,4 @@
-import { typeByExtension } from '@std/media-types';
+import { typeByExtension as _typeByExtension } from '@std/media-types';
 
 /** Get media type of the filename in the URL by its extension, if any. */
 export function getUrlMediaType(url: string): string | undefined {
@@ -22,3 +22,13 @@ export function isPermittedMediaType(mediaType: string, permitted: string[]): bo
   const [baseType, _subType] = mediaType.split('/');
   return permitted.includes(baseType);
 }
+
+/** Custom type-by-extension with overrides. */
+function typeByExtension(ext: string): string | undefined {
+  switch (ext) {
+    case 'ts':
+      return 'application/typescript';
+    default:
+      return _typeByExtension(ext);
+  }
+}

src/utils/nip98.ts

@@ -1,9 +1,10 @@
 import { NostrEvent, NSchema as n } from '@nostrify/nostrify';
+import { encodeHex } from '@std/encoding/hex';
 import { EventTemplate, nip13 } from 'nostr-tools';
 
 import { decode64Schema } from '@/schema.ts';
 import { signedEventSchema } from '@/schemas/nostr.ts';
-import { eventAge, findTag, nostrNow, sha256 } from '@/utils.ts';
+import { eventAge, findTag, nostrNow } from '@/utils.ts';
 import { Time } from '@/utils/time.ts';
 
 /** Decode a Nostr event from a base64 encoded string. */
@@ -41,11 +42,10 @@ function validateAuthEvent(req: Request, event: NostrEvent, opts: ParseAuthReque
     .refine((event) => pow ? nip13.getPow(event.id) >= pow : true, 'Insufficient proof of work')
     .refine(validateBody, 'Event payload does not match request body');
 
-  function validateBody(event: NostrEvent) {
+  async function validateBody(event: NostrEvent): Promise<boolean> {
     if (!validatePayload) return true;
-    return req.clone().text()
-      .then(sha256)
-      .then((hash) => hash === tagValue(event, 'payload'));
+    const payload = await getPayload(req);
+    return payload === tagValue(event, 'payload');
   }
 
   return schema.safeParseAsync(event);
@@ -62,7 +62,7 @@ async function buildAuthEventTemplate(req: Request, opts: ParseAuthRequestOpts =
   ];
 
   if (validatePayload) {
-    const payload = await req.clone().text().then(sha256);
+    const payload = await getPayload(req);
     tags.push(['payload', payload]);
   }
 
@@ -74,6 +74,14 @@ async function buildAuthEventTemplate(req: Request, opts: ParseAuthRequestOpts =
   };
 }
 
+/** Get a SHA-256 hash of the request body encoded as a hex string. */
+async function getPayload(req: Request): Promise<string> {
+  const text = await req.clone().text();
+  const bytes = new TextEncoder().encode(text);
+  const buffer = await crypto.subtle.digest('SHA-256', bytes);
+  return encodeHex(buffer);
+}
+
 /** Get the value for the first matching tag name in the event. */
 function tagValue(event: NostrEvent, tagName: string): string | undefined {
   return findTag(event.tags, tagName)?.[1];