feat: add NIP-44 E2E encryption for push notifications

[alltheseas]

Summary

• Add NIP-44 v2 E2E encryption for push notification payloads
• Server encrypts notifications to client device pubkeys before sending via APNs
• Apple only sees ciphertext, protecting notification content privacy

Changes

New Features

• GET /server-pubkey - Public endpoint for clients to discover server's encryption pubkey
• PUT /user-info/:pubkey/:deviceToken/encryption-key - Register device pubkey for encrypted notifications
• Automatic encryption/plaintext fallback based on device registration

Configuration

• NIP44_ENABLED=true - Enable encryption (default: false)
• SERVER_PRIVKEY=<hex> - Required server private key for stable identity
• NIP44_ALLOW_EPHEMERAL=true - Dev mode: allow ephemeral keys (not for production)

Code Quality

• Typed NotificationManagerError for robust error handling
• UPSERT pattern preserves device_pubkey on re-registration
• Sensitive data (device tokens, pubkeys) removed from info-level logs
• 23 tests total:
  • NIP-44 crypto roundtrip and format tests
  • Env gating logic tests (SERVER_PRIVKEY + allow_generate)
  • Integration tests with in-memory SQLite DB

Test Results

running 23 tests
test notification_manager::nip44_integration_tests::test_encrypted_notification_flow ... ok
test notification_manager::nip44_integration_tests::test_plaintext_fallback_flow ... ok
test notification_manager::nip44_integration_tests::test_upsert_preserves_device_pubkey ... ok
test notification_manager::nip44_integration_tests::test_encryption_key_before_registration_fails ... ok
test server_keys::tests::test_nip44_encrypt_decrypt_roundtrip ... ok
test server_keys::tests::test_nip44_wrong_key_fails_decryption ... ok
test server_keys::tests::test_nip44_payload_format ... ok
test server_keys::tests::test_from_env_value_* ... ok (5 tests)
... and 10 more existing tests

test result: ok. 23 passed; 0 failed

Commits

1. feat: add NIP-44 E2E encryption for push notifications - Core implementation
2. fix: address NIP-44 code review feedback - UPSERT fix, env gating, log cleanup
3. fix: use typed error for device-not-found, add env gating tests - Robust error handling
4. test: add NIP-44 integration tests with in-memory DB - Full flow tests

🤖 Generated with Claude Code

[alltheseas]

Mock APNs Integration Tests

Since the APNs client is tightly coupled and requires real credentials, I created a TestHarness that tests the NIP-44 flow with an in-memory SQLite database, bypassing the APNs send path while still exercising all the critical logic.

What's Tested

Test 1: test_encrypted_notification_flow

1. Register device → save_user_device_info()
2. Register device pubkey → save_device_pubkey()
3. Verify pubkey stored → get_device_pubkey()
4. Server encrypts payload → maybe_encrypt_payload() returns ciphertext
5. Client decrypts → nostr::nips::nip44::decrypt() recovers original JSON

Test 2: test_plaintext_fallback_flow

1. Register device (no encryption pubkey)
2. Verify no pubkey stored
3. maybe_encrypt_payload() returns None → plaintext mode

Test 3: test_upsert_preserves_device_pubkey

1. Register + set encryption key
2. Re-register same device (simulates token refresh)
3. Verify device_pubkey preserved (UPSERT fix)

Test 4: test_encryption_key_before_registration_fails

1. Try to set encryption key without registering device
2. Returns NotificationManagerError::DeviceNotRegistered (typed error)

Test Harness Design

struct TestHarness {
    db: Arc<Mutex<r2d2::Pool<SqliteConnectionManager>>>,  // In-memory SQLite
    server_keys: ServerKeys,  // Generated test keys
}

The harness mirrors the NotificationManager methods but doesn't require APNs credentials, making tests fast and CI-friendly.

[alltheseas]

cc @tyiu @danieldaquino @jb55 ready for review sers

[alltheseas]

Closes #13

[alltheseas]

convert to nip-59 - happens automatically in nostrdb

[alltheseas]

@jb55 - how do we know what's in the giftwrap if iOS damus is receiving from notepush?

How does iOS damus send to nostrdb?

@jb55 maybe nip-59 is not better?

[alltheseas]

@coderabbitai review please

[coderabbitai]

@alltheseas: I'll review the changes in this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Warning

Rate limit exceeded

@alltheseas has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 2 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[alltheseas]

@coderabbitai review please

[coderabbitai]

@alltheseas: I'll review the changes in this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[alltheseas]

@coderabbitai review please

[coderabbitai]

@alltheseas: I'll review the changes in this PR now.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.