feat: NIP-05 MVP — write /.well-known/nostr.json on single-user provision (JavaScriptSolidServer#446)

melvincarvalho · melvincarvalho · commit 5050ce26cb60 · 2026-05-14T14:23:49.000+02:00
NIP-05 is just a static JSON file at a well-known path. JSS already exposes /.well-known/* as a public namespace (WAC bypass + dotfile allow-list); the LDP GET handler serves it like any other resource. So this is purely a file write — no new route, no new module. Single-user pods with --provision-keys now write DATA_ROOT/.well-known/nostr.json containing: { "names": { "_": "<hex pubkey>" } } NIP-05 §3 reserves `_` as the "naked domain" identifier — a single-user pod IS the domain, so the owner's Nostr identity is just `<host>` with no `name@` prefix. Other Nostr clients can verify the identity via NIP-05 the moment they discover it. Implementation lives in createRootPodStructure alongside the privkey + profile writes. Same ordering rationale as the other provisioning files: ACLs → privkey → NIP-05 → profile (last for orphan-VM safety). Tests: - File written with correct shape on --single-user --provision-keys - Served over HTTP without auth (NIP-05 verifiers are unauth) - Cross-checks the NIP-05 pubkey against the profile VM's publicKeyMultibase — they must describe the same key - Without --provision-keys, no file written - Multi-user mode: no file written (aggregation is the next slice of JavaScriptSolidServer#445) 860/860 tests pass (one pre-existing flake in nostr-cid-vm test that's tracked separately as JavaScriptSolidServer#438; that test fails on ~50% of runs on main and isn't related to this change). Closes JavaScriptSolidServer#446. MVP slice of JavaScriptSolidServer#445.
diff --git a/src/server.js b/src/server.js
@@ -766,6 +766,7 @@ export function createServer(options = {}) {
     });
   }
 
+
   // LDP routes - using wildcard routing
   // Read operations - no rate limit (handled by bodyLimit)
   fastify.get('/*', handleGet);
@@ -1127,6 +1128,23 @@ export function createServer(options = {}) {
           'Failed to write owner key file at /private/privkey.jsonld'
         );
       }
+
+      // NIP-05 mapping for the bare domain (#446). NIP-05 §3 reserves
+      // `_` as the "naked domain" identifier — a single-user pod IS
+      // the domain, so the owner's Nostr identity is just `<host>`
+      // with no `name@` prefix. The file is a plain JSON resource
+      // under the spec-mandated `.well-known/` namespace; jss already
+      // bypasses WAC for /.well-known/* and lets the LDP GET handler
+      // serve it as a static file. No new route needed.
+      await storage.createContainer('/.well-known/');
+      const nip05 = { names: { _: ownerKey.publicHex } };
+      const nip05Ok = await storage.write(
+        '/.well-known/nostr.json',
+        JSON.stringify(nip05, null, 2)
+      );
+      if (!nip05Ok) {
+        throw new Error('Failed to write /.well-known/nostr.json');
+      }
     }
 
     // Generate profile (with the owner key's VM landed in
diff --git a/test/well-known-nostr-json.test.js b/test/well-known-nostr-json.test.js
@@ -0,0 +1,144 @@
+/**
+ * NIP-05 MVP — /.well-known/nostr.json on single-user pods (#446).
+ *
+ * Implementation is a static file written during pod creation, not
+ * a server-side handler. JSS already exposes /.well-known/* as a
+ * public namespace (WAC bypass + dotfile allow-list); the LDP GET
+ * handler serves the file like any other resource.
+ *
+ * Acceptance:
+ *   - single-user + --provision-keys → 200 { names: { _: <hex> } }
+ *     served at /.well-known/nostr.json, publicly readable, with
+ *     CORS open for browser-based NIP-05 verifiers.
+ *   - single-user without --provision-keys → no file written.
+ *   - multi-user → no file written (next slice of #445 aggregates).
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import fs from 'fs-extra';
+import { createServer } from '../src/server.js';
+
+const DATA_DIR = './test-data-nip05';
+
+async function startServer(options = {}) {
+  await fs.remove(DATA_DIR);
+  await fs.ensureDir(DATA_DIR);
+  const server = createServer({
+    logger: false,
+    forceCloseConnections: true,
+    root: DATA_DIR,
+    ...options
+  });
+  await server.listen({ port: 0, host: '127.0.0.1' });
+  const baseUrl = `http://127.0.0.1:${server.server.address().port}`;
+  return { server, baseUrl };
+}
+
+async function stopServer(server) {
+  await server.close();
+  await fs.remove(DATA_DIR);
+}
+
+describe('NIP-05 MVP — single-user with provisioned key', () => {
+  let server, baseUrl;
+  let savedDataRoot;
+
+  before(async () => {
+    savedDataRoot = process.env.DATA_ROOT;
+    ({ server, baseUrl } = await startServer({
+      singleUser: true,
+      provisionKeys: true
+    }));
+  });
+
+  after(async () => {
+    await stopServer(server);
+    if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = savedDataRoot;
+  });
+
+  it('writes the NIP-05 mapping with the reserved `_` name', async () => {
+    const onDisk = JSON.parse(
+      await fs.readFile(`${DATA_DIR}/.well-known/nostr.json`, 'utf8')
+    );
+    assert.deepStrictEqual(Object.keys(onDisk.names), ['_'],
+      'MVP emits exactly one mapping (the `_` reserved name)');
+    assert.match(onDisk.names._, /^[0-9a-f]{64}$/,
+      'the `_` mapping must be a 32-byte hex pubkey');
+  });
+
+  it('serves the mapping over HTTP without auth (NIP-05 verifiers are unauth)', async () => {
+    const res = await fetch(`${baseUrl}/.well-known/nostr.json`);
+    assert.strictEqual(res.status, 200);
+    const body = await res.json();
+    assert.match(body.names._, /^[0-9a-f]{64}$/);
+  });
+
+  it('matches the same pubkey landed in the WebID profile VM', async () => {
+    // Cross-check: the NIP-05 pubkey and the profile's
+    // verificationMethod publicKeyMultibase should describe the
+    // same key. If they ever diverge, an LWS-CID verifier would
+    // accept the profile's VM but a NIP-05 verifier would attest
+    // to a different identity for the same domain.
+    const onDisk = JSON.parse(
+      await fs.readFile(`${DATA_DIR}/.well-known/nostr.json`, 'utf8')
+    );
+    const profile = JSON.parse(
+      await fs.readFile(`${DATA_DIR}/profile/card.jsonld`, 'utf8')
+    );
+    const vm = profile.verificationMethod[0];
+    assert.ok(vm.publicKeyMultibase.includes(onDisk.names._),
+      'NIP-05 pubkey hex must appear in the profile VM publicKeyMultibase');
+  });
+});
+
+describe('NIP-05 MVP — single-user without a provisioned key', () => {
+  let server;
+  let savedDataRoot;
+
+  before(async () => {
+    savedDataRoot = process.env.DATA_ROOT;
+    ({ server } = await startServer({ singleUser: true }));
+  });
+
+  after(async () => {
+    await stopServer(server);
+    if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = savedDataRoot;
+  });
+
+  it('does not create the file (nothing to publish)', async () => {
+    assert.strictEqual(
+      await fs.pathExists(`${DATA_DIR}/.well-known/nostr.json`),
+      false,
+      'no key → no NIP-05 mapping → no file'
+    );
+  });
+});
+
+describe('NIP-05 MVP — multi-user mode', () => {
+  let server;
+  let savedDataRoot;
+
+  before(async () => {
+    savedDataRoot = process.env.DATA_ROOT;
+    // No singleUser → multi-user. createRootPodStructure isn't called;
+    // each pod's createPodStructure is, but the MVP only writes the
+    // NIP-05 file in single-user mode.
+    ({ server } = await startServer({}));
+  });
+
+  after(async () => {
+    await stopServer(server);
+    if (savedDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = savedDataRoot;
+  });
+
+  it('does not write a server-level NIP-05 file (aggregation is the next slice)', async () => {
+    assert.strictEqual(
+      await fs.pathExists(`${DATA_DIR}/.well-known/nostr.json`),
+      false
+    );
+  });
+});
