chore: encrypt tenant NWC URL at rest and stop secret exposure in tenant APIs

2026-05-05 19:31:44 +05:45
4 changed files with 8 additions and 5 deletions
@@ -28,5 +28,6 @@ LIVEKIT_API_SECRET=

 # Billing
 NWC_URL=                      # Nostr Wallet Connect URL for generating Lightning invoices
+ENCRYPTION_SECRET=            # Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest
 STRIPE_SECRET_KEY=            # Required Stripe API secret key (sk_...)
 STRIPE_WEBHOOK_SECRET=whsec_test_00000000000000000000000000  # Webhook signing secret (use real value in production)
@@ -44,6 +44,7 @@ Environment variables:
 | `LIVEKIT_API_KEY`        | LiveKit API key sent to zooid                                           | _optional_                           |
 | `LIVEKIT_API_SECRET`     | LiveKit API secret sent to zooid                                        | _optional_                           |
 | `NWC_URL`                | Platform NWC URL used to generate BOLT11 invoices                       | _required for invoice generation_    |
+| `ENCRYPTION_SECRET`      | Nostr secret key (hex or nsec) used to encrypt tenant NWC URLs at rest  | _required_                           |
 | `STRIPE_SECRET_KEY`      | Stripe API secret key used for billing API operations                   | _required_                           |
 | `STRIPE_WEBHOOK_SECRET`  | Stripe webhook signing secret used to verify `Stripe-Signature` headers | _required_                           |
 | `ROBOT_SECRET`           | Robot Nostr secret key                                                  | _required_                           |
@@ -57,7 +57,7 @@ Notes:

 - Serves `GET /tenants`
 - Authorizes admin only
- Return `data` is a list of tenant structs from `query.list_tenants`
+- Return `data` is a list of `TenantResponse` structs (contains `nwc_is_set: bool` instead of `nwc_url`)

 ## `async fn create_tenant(...) -> Response`

@@ -69,20 +69,21 @@ Notes:
 - On unique-constraint race (`pubkey-exists`), re-fetch and return the existing tenant
 - If Stripe customer creation fails, return `code=stripe-customer-create-failed`
 - Always returns `200` (create-or-get is uniform)
- Return `data` is a single `Tenant` struct
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)

 ## `async fn get_tenant(...) -> Response`

 - Serves `GET /tenants/:pubkey`
 - Authorizes admin or matching tenant
- Return `data` is a single tenant struct from `query.get_tenant`
+- Return `data` is a single `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)

 ## `async fn update_tenant(...) -> Response`

 - Serves `PUT /tenants/:pubkey`
 - Authorizes admin or matching tenant
+- Accepts `nwc_url` in the request body; encrypts it before storage using `cipher::encrypt`
 - Updates tenant using `command.update_tenant`
- Return `data` is the updated tenant struct
+- Return `data` is the updated `TenantResponse` struct (contains `nwc_is_set: bool` instead of `nwc_url`)

 ## `async fn list_tenant_relays(...) -> Response`

@@ -52,7 +52,7 @@ There are three plans available:
 Tenants are customers of the service, identified by a nostr `pubkey`. Public metadata like name etc are pulled from the nostr network. They also have associated billing information.

 - `pubkey` is the nostr public key identifying the tenant
- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf
+- `nwc_url` (private) a nostr wallet connect URL used for **paying** invoices generated by the system on the tenant's behalf; stored encrypted at rest using NIP-44 via `ENCRYPTION_SECRET`; never serialized to API responses — tenant API endpoints expose `nwc_is_set: bool` instead
 - `nwc_error` (private) a string indicating the most recent NWC payment error, if any. Cleared on successful NWC payment.
 - `created_at` unix timestamp identifying tenant creation time
 - `stripe_customer_id` a string identifying the associated stripe customer