harden wallet mnemonic storage with NIP-44 encrypt-to-self (#224)

Author: dmnyc

package.json

@@ -1,7 +1,7 @@
 {
   "name": "zap.cooking",
   "license": "MIT",
-  "version": "4.2.1",
+  "version": "4.2.2",
   "private": true,
   "scripts": {
     "dev": "vite dev",

src/lib/spark/storage.ts

@@ -1,64 +1,94 @@
 import { xchacha20poly1305 } from '@noble/ciphers/chacha.js'
 import { sha256 } from '@noble/hashes/sha2.js'
-import { bytesToHex, hexToBytes } from '@noble/hashes/utils.js'
+import { hexToBytes } from '@noble/hashes/utils.js'
+import { encrypt, decrypt, detectEncryptionMethod } from '$lib/encryptionService'
 
 const LOCAL_STORAGE_KEY_PREFIX = 'spark_wallet_'
 
-/**
- * Derives a 32-byte (256-bit) encryption key from the user's Nostr public key.
- * The mnemonic is tied to the user's Nostr identity - only they can decrypt it.
- * @param pubkey The user's Nostr public key (hex string).
- * @returns A Uint8Array representing the 32-byte encryption key.
- */
-function deriveKey(pubkey: string): Uint8Array {
-	// Convert hex pubkey to bytes, then hash with SHA-256
-	// This ties the encryption to the user's Nostr identity
+// ── V2 storage format ────────────────────────────────────────
+
+interface StoredMnemonicV2 {
+	version: 2
+	ciphertext: string
+}
+
+// ── V1 legacy support (migration only) ──────────────────────
+
+/** @deprecated V1 key derivation — used only for migrating old stored mnemonics */
+function deriveKeyV1(pubkey: string): Uint8Array {
 	const pubkeyBytes = hexToBytes(pubkey)
 	return sha256(pubkeyBytes)
 }
 
+/** Decrypt a V1 (XChaCha20-Poly1305 with pubkey-derived key) stored mnemonic */
+function decryptV1(pubkey: string, storedDataHex: string): string | null {
+	try {
+		const storedData = hexToBytes(storedDataHex)
+		const nonce = storedData.slice(0, 24)
+		const ciphertext = storedData.slice(24)
+		const key = deriveKeyV1(pubkey)
+		const cipher = xchacha20poly1305(key, nonce)
+		const decrypted = cipher.decrypt(ciphertext)
+		return new TextDecoder().decode(decrypted)
+	} catch {
+		return null
+	}
+}
+
+// ── V2: NIP-44 encrypt-to-self ──────────────────────────────
+
 /**
- * Saves an encrypted mnemonic to local storage.
- * The mnemonic is encrypted using XChaCha20-Poly1305 with a key derived from the Nostr pubkey.
+ * Saves an encrypted mnemonic to local storage using NIP-44 encrypt-to-self.
+ * The mnemonic can only be decrypted with the user's Nostr private key.
  * @param pubkey The user's Nostr public key (hex string).
  * @param mnemonic The mnemonic string to encrypt and save.
  */
 export async function saveMnemonic(pubkey: string, mnemonic: string): Promise<void> {
-	const key = deriveKey(pubkey)
-	const nonce = crypto.getRandomValues(new Uint8Array(24)) // 24-byte nonce for XChaCha20-Poly1305
-	const plaintext = new TextEncoder().encode(mnemonic)
-
-	const cipher = xchacha20poly1305(key, nonce)
-	const ciphertext = cipher.encrypt(plaintext)
-
-	// Store nonce + ciphertext as a single hex string
-	const storedData = bytesToHex(new Uint8Array([...nonce, ...ciphertext]))
-	localStorage.setItem(`${LOCAL_STORAGE_KEY_PREFIX}${pubkey}`, storedData)
+	const { ciphertext } = await encrypt(pubkey, mnemonic)
+	const stored: StoredMnemonicV2 = { version: 2, ciphertext }
+	localStorage.setItem(`${LOCAL_STORAGE_KEY_PREFIX}${pubkey}`, JSON.stringify(stored))
 }
 
 /**
  * Loads and decrypts a mnemonic from local storage.
+ * Handles both V2 (NIP-44) and V1 (legacy XChaCha20) formats.
+ * V1 data is silently migrated to V2 on successful load when a signer is available.
  * @param pubkey The user's Nostr public key (hex string).
  * @returns The decrypted mnemonic string, or null if not found or decryption fails.
  */
 export async function loadMnemonic(pubkey: string): Promise<string | null> {
-	const storedDataHex = localStorage.getItem(`${LOCAL_STORAGE_KEY_PREFIX}${pubkey}`)
-	if (!storedDataHex) {
-		return null
+	const raw = localStorage.getItem(`${LOCAL_STORAGE_KEY_PREFIX}${pubkey}`)
+	if (!raw) return null
+
+	// Try V2 JSON format first
+	try {
+		const parsed = JSON.parse(raw) as StoredMnemonicV2
+		if (parsed.version === 2 && parsed.ciphertext) {
+			const method = detectEncryptionMethod(parsed.ciphertext)
+			return await decrypt(pubkey, parsed.ciphertext, method)
+		}
+	} catch {
+		// JSON parse failed — this is a V1 legacy hex string
 	}
 
+	// V1 legacy: decrypt with old method, then migrate to V2
 	try {
-		const storedData = hexToBytes(storedDataHex)
-		const nonce = storedData.slice(0, 24)
-		const ciphertext = storedData.slice(24)
+		const mnemonic = decryptV1(pubkey, raw)
+		if (!mnemonic) {
+			console.error('[Wallet Storage] Failed to decrypt V1 mnemonic')
+			return null
+		}
 
-		const key = deriveKey(pubkey)
-		const cipher = xchacha20poly1305(key, nonce)
-		const decrypted = cipher.decrypt(ciphertext)
+		// Silent migration to V2 (best-effort; if signer unavailable, skip)
+		try {
+			await saveMnemonic(pubkey, mnemonic)
+		} catch {
+			// Migration failed (signer unavailable) — mnemonic stays in V1 until next load
+		}
 
-		return new TextDecoder().decode(decrypted)
+		return mnemonic
 	} catch (error) {
-		console.error('Failed to decrypt mnemonic:', error)
+		console.error('[Wallet Storage] Failed to decrypt mnemonic:', error)
 		return null
 	}
 }
@@ -84,10 +114,12 @@ export function deleteMnemonic(pubkey: string): void {
  * Clears all Spark wallet mnemonics from local storage.
  */
 export function clearAllSparkWallets(): void {
+	const keysToRemove: string[] = []
 	for (let i = 0; i < localStorage.length; i++) {
 		const key = localStorage.key(i)
 		if (key && key.startsWith(LOCAL_STORAGE_KEY_PREFIX)) {
-			localStorage.removeItem(key)
+			keysToRemove.push(key)
 		}
 	}
+	keysToRemove.forEach((key) => localStorage.removeItem(key))
 }