diff --git a/backend/.env.template b/backend/.env.template index d1ba7d4..b45f120 100644 --- a/backend/.env.template +++ b/backend/.env.template @@ -28,5 +28,6 @@ LIVEKIT_API_SECRET= # Billing NWC_URL= # Nostr Wallet Connect URL for generating Lightning invoices +ENCRYPTION_SECRET= # Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest STRIPE_SECRET_KEY= # Required Stripe API secret key (sk_...) STRIPE_WEBHOOK_SECRET=whsec_test_00000000000000000000000000 # Webhook signing secret (use real value in production) diff --git a/backend/README.md b/backend/README.md index 040f425..de33a15 100644 --- a/backend/README.md +++ b/backend/README.md @@ -44,6 +44,7 @@ Environment variables: | `LIVEKIT_API_KEY` | LiveKit API key sent to zooid | _optional_ | | `LIVEKIT_API_SECRET` | LiveKit API secret sent to zooid | _optional_ | | `NWC_URL` | Platform NWC URL used to generate BOLT11 invoices | _required for invoice generation_ | +| `ENCRYPTION_SECRET` | Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest | _required_ | | `STRIPE_SECRET_KEY` | Stripe API secret key used for billing API operations | _required_ | | `STRIPE_WEBHOOK_SECRET` | Stripe webhook signing secret used to verify `Stripe-Signature` headers | _required_ | | `ROBOT_SECRET` | Robot Nostr secret key | _required_ | diff --git a/backend/spec/api.md b/backend/spec/api.md index 663ea97..4e0b233 100644 --- a/backend/spec/api.md +++ b/backend/spec/api.md @@ -57,7 +57,7 @@ Notes: - Serves `GET /tenants` - Authorizes admin only -- Return `data` is a list of tenant structs from `query.list_tenants` +- Return `data` is a list of `TenantResponse` structs (contains `nwc_is_set: bool` instead of `nwc_url`) ## `async fn create_tenant(...) -> Response` @@ -69,20 +69,21 @@ Notes: - On unique-constraint race (`pubkey-exists`), re-fetch and return the existing tenant - If Stripe customer creation fails, return `code=stripe-customer-create-failed` - Always returns `200` (create-or-get is uniform) -- Return `data` is a single `Tenant` struct +- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`) ## `async fn get_tenant(...) -> Response` - Serves `GET /tenants/:pubkey` - Authorizes admin or matching tenant -- Return `data` is a single tenant struct from `query.get_tenant` +- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`) ## `async fn update_tenant(...) -> Response` - Serves `PUT /tenants/:pubkey` - Authorizes admin or matching tenant +- Accepts `nwc_url` in the request body; encrypts it before storage using `cipher::encrypt` - Updates tenant using `command.update_tenant` -- Return `data` is the updated tenant struct +- Return `data` is the updated `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`) ## `async fn list_tenant_relays(...) -> Response` diff --git a/backend/spec/models.md b/backend/spec/models.md index d14e777..3d09ee5 100644 --- a/backend/spec/models.md +++ b/backend/spec/models.md @@ -52,7 +52,7 @@ There are three plans available: Tenants are customers of the service, identified by a nostr `pubkey`. Public metadata like name etc are pulled from the nostr network. They also have associated billing information. - `pubkey` is the nostr public key identifying the tenant -- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf +- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf; stored encrypted at rest using NIP-44 via `ENCRYPTION_SECRET`; never serialized to API responses — tenant API endpoints expose `nwc_is_set: bool` instead - `nwc_error` (private) a string indicating the most recent NWC payment error, if any. Cleared on successful NWC payment. - `created_at` unix timestamp identifying tenant creation time - `stripe_customer_id` a string identifying the associated stripe customer diff --git a/backend/src/api.rs b/backend/src/api.rs index f806ee8..a7576b2 100644 --- a/backend/src/api.rs +++ b/backend/src/api.rs @@ -445,6 +445,31 @@ struct IdentityResponse { is_admin: bool, } +#[derive(Serialize)] +struct TenantResponse { + pubkey: String, + nwc_is_set: bool, + nwc_error: Option, + created_at: i64, + stripe_customer_id: String, + stripe_subscription_id: Option, + past_due_at: Option, +} + +impl From for TenantResponse { + fn from(t: Tenant) -> Self { + TenantResponse { + nwc_is_set: !t.nwc_url.is_empty(), + pubkey: t.pubkey, + nwc_error: t.nwc_error, + created_at: t.created_at, + stripe_customer_id: t.stripe_customer_id, + stripe_subscription_id: t.stripe_subscription_id, + past_due_at: t.past_due_at, + } + } +} + #[derive(Deserialize)] struct CreateRelayRequest { tenant: String, @@ -486,7 +511,13 @@ async fn list_tenants( state.api.require_admin(&pubkey)?; match state.api.query.list_tenants().await { - Ok(tenants) => Ok(ok(StatusCode::OK, tenants)), + Ok(tenants) => Ok(ok( + StatusCode::OK, + tenants + .into_iter() + .map(TenantResponse::from) + .collect::>(), + )), Err(e) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, "internal", @@ -515,7 +546,7 @@ async fn create_tenant( let pubkey = state.api.extract_auth_pubkey(&headers)?; match state.api.query.get_tenant(&pubkey).await { - Ok(Some(t)) => Ok(ok(StatusCode::OK, t)), + Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))), Ok(None) => { let stripe_customer_id = match state.api.billing.stripe_create_customer(&pubkey).await { Ok(id) => id, @@ -539,10 +570,10 @@ async fn create_tenant( }; match state.api.command.create_tenant(&tenant).await { - Ok(()) => Ok(ok(StatusCode::OK, tenant)), + Ok(()) => Ok(ok(StatusCode::OK, TenantResponse::from(tenant))), Err(e) if matches!(map_unique_error(&e), Some("pubkey-exists")) => { match state.api.query.get_tenant(&pubkey).await { - Ok(Some(t)) => Ok(ok(StatusCode::OK, t)), + Ok(Some(t)) => Ok(ok(StatusCode::OK, TenantResponse::from(t))), Ok(None) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, "internal", @@ -585,7 +616,7 @@ async fn get_tenant( let auth = state.api.extract_auth_pubkey(&headers)?; state.api.require_admin_or_tenant(&auth, &pubkey)?; let tenant = state.api.get_tenant_or_404(&pubkey).await?; - Ok(ok(StatusCode::OK, tenant)) + Ok(ok(StatusCode::OK, TenantResponse::from(tenant))) } async fn list_relays( @@ -1103,7 +1134,12 @@ async fn update_tenant( let nwc_previously_empty = tenant.nwc_url.is_empty(); if let Some(nwc_url) = payload.nwc_url { - tenant.nwc_url = nwc_url; + if nwc_url.is_empty() { + tenant.nwc_url = String::new(); + } else { + tenant.nwc_url = + crate::cipher::encrypt(&nwc_url).map_err(|e| ApiError::Internal(e.to_string()))?; + } } match state.api.command.update_tenant(&tenant).await { @@ -1122,7 +1158,7 @@ async fn update_tenant( } }); } - Ok(ok(StatusCode::OK, tenant)) + Ok(ok(StatusCode::OK, TenantResponse::from(tenant))) } Err(e) => Ok(err( StatusCode::INTERNAL_SERVER_ERROR, diff --git a/backend/src/billing.rs b/backend/src/billing.rs index 320090d..fa12bce 100644 --- a/backend/src/billing.rs +++ b/backend/src/billing.rs @@ -422,13 +422,14 @@ impl Billing { // 1. NWC auto-pay: if the tenant has a nwc_url if !tenant.nwc_url.is_empty() { + let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?; match self .nwc_pay_invoice( invoice_id, &tenant.pubkey, amount_due, currency, - &tenant.nwc_url, + &plain_nwc_url, ) .await? { @@ -857,6 +858,8 @@ impl Billing { return Ok(()); } + let plain_nwc_url = crate::cipher::decrypt(&tenant.nwc_url)?; + let invoices = self .stripe_list_invoices(&tenant.stripe_customer_id) .await?; @@ -878,7 +881,7 @@ impl Billing { &tenant.pubkey, amount_due, currency, - &tenant.nwc_url, + &plain_nwc_url, ) .await? { diff --git a/backend/src/cipher.rs b/backend/src/cipher.rs new file mode 100644 index 0000000..bcf1e35 --- /dev/null +++ b/backend/src/cipher.rs @@ -0,0 +1,28 @@ +use anyhow::{Result, anyhow}; +use nostr_sdk::prelude::*; + +pub fn encrypt(plaintext: &str) -> Result { + let keys = load_key()?; + nip44::encrypt( + keys.secret_key(), + &keys.public_key(), + plaintext, + nip44::Version::V2, + ) + .map_err(|e| anyhow!("encryption failed: {e}")) +} + +pub fn decrypt(ciphertext: &str) -> Result { + let keys = load_key()?; + nip44::decrypt(keys.secret_key(), &keys.public_key(), ciphertext) + .map_err(|e| anyhow!("decryption failed: {e}")) +} + +fn load_key() -> Result { + let secret = std::env::var("ENCRYPTION_SECRET") + .map_err(|_| anyhow!("missing ENCRYPTION_SECRET environment variable"))?; + if secret.trim().is_empty() { + return Err(anyhow!("ENCRYPTION_SECRET is empty")); + } + Keys::parse(&secret).map_err(|e| anyhow!("invalid ENCRYPTION_SECRET: {e}")) +} diff --git a/backend/src/lib.rs b/backend/src/lib.rs index 98f3936..32359b6 100644 --- a/backend/src/lib.rs +++ b/backend/src/lib.rs @@ -1,5 +1,6 @@ pub mod api; pub mod billing; +pub mod cipher; pub mod command; pub mod infra; pub mod models; diff --git a/backend/src/main.rs b/backend/src/main.rs index 1751165..5f92556 100644 --- a/backend/src/main.rs +++ b/backend/src/main.rs @@ -1,5 +1,6 @@ mod api; mod billing; +mod cipher; mod command; mod infra; mod models;