diff options
| author | bndw <ben@bdw.to> | 2026-02-14 10:02:52 -0800 |
|---|---|---|
| committer | bndw <ben@bdw.to> | 2026-02-14 10:02:52 -0800 |
| commit | 5d21632ea70e1c7de7becb7ab6227b06b1535a83 (patch) | |
| tree | e63bcbe8cdf7dc888ca0e3476ad529690a0a44a8 /internal/auth/auth_test.go | |
| parent | d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (diff) | |
feat: add separate read/write allowlists for granular access control
- Split allowed_npubs into allowed_npubs_read and allowed_npubs_write
- Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put
- Read operations: everything else (Query, Subscribe, Get, List, etc.)
- Auth interceptor checks appropriate list based on method type
- Enables common patterns:
- Public relay: only some can write, everyone can read
- Private relay: restricted read and write
- Open relay: everyone can read and write
- Updated config, docs, and comprehensive tests
Use cases: "only some can write, everyone can read"
Diffstat (limited to 'internal/auth/auth_test.go')
| -rw-r--r-- | internal/auth/auth_test.go | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index 1f0efee..7a0da19 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go | |||
| @@ -304,3 +304,41 @@ func TestHashPayload(t *testing.T) { | |||
| 304 | t.Error("different payloads produced same hash") | 304 | t.Error("different payloads produced same hash") |
| 305 | } | 305 | } |
| 306 | } | 306 | } |
| 307 | |||
| 308 | func TestIsWriteMethod(t *testing.T) { | ||
| 309 | tests := []struct { | ||
| 310 | method string | ||
| 311 | want bool | ||
| 312 | }{ | ||
| 313 | // Write methods | ||
| 314 | {"/nostr.v1.NostrRelay/PublishEvent", true}, | ||
| 315 | {"/nostr.v1.NostrRelay/DeleteEvent", true}, | ||
| 316 | {"/admin.v1.Admin/CreateUser", true}, | ||
| 317 | {"/admin.v1.Admin/UpdateSettings", true}, | ||
| 318 | {"/data.v1.Data/InsertRecord", true}, | ||
| 319 | {"/data.v1.Data/RemoveItem", true}, | ||
| 320 | {"/storage.v1.Storage/SetValue", true}, | ||
| 321 | {"/storage.v1.Storage/PutObject", true}, | ||
| 322 | |||
| 323 | // Read methods | ||
| 324 | {"/nostr.v1.NostrRelay/QueryEvents", false}, | ||
| 325 | {"/nostr.v1.NostrRelay/Subscribe", false}, | ||
| 326 | {"/nostr.v1.NostrRelay/GetEvent", false}, | ||
| 327 | {"/admin.v1.Admin/ListUsers", false}, | ||
| 328 | {"/health.v1.Health/Check", false}, | ||
| 329 | {"/info.v1.Info/GetRelayInfo", false}, | ||
| 330 | |||
| 331 | // Edge cases | ||
| 332 | {"", false}, | ||
| 333 | {"/", false}, | ||
| 334 | } | ||
| 335 | |||
| 336 | for _, tt := range tests { | ||
| 337 | t.Run(tt.method, func(t *testing.T) { | ||
| 338 | got := isWriteMethod(tt.method) | ||
| 339 | if got != tt.want { | ||
| 340 | t.Errorf("isWriteMethod(%q) = %v, want %v", tt.method, got, tt.want) | ||
| 341 | } | ||
| 342 | }) | ||
| 343 | } | ||
| 344 | } | ||