diff options
| author | bndw <ben@bdw.to> | 2026-02-14 10:02:52 -0800 |
|---|---|---|
| committer | bndw <ben@bdw.to> | 2026-02-14 10:02:52 -0800 |
| commit | 5d21632ea70e1c7de7becb7ab6227b06b1535a83 (patch) | |
| tree | e63bcbe8cdf7dc888ca0e3476ad529690a0a44a8 /internal/config/README.md | |
| parent | d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (diff) | |
feat: add separate read/write allowlists for granular access control
- Split allowed_npubs into allowed_npubs_read and allowed_npubs_write
- Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put
- Read operations: everything else (Query, Subscribe, Get, List, etc.)
- Auth interceptor checks appropriate list based on method type
- Enables common patterns:
- Public relay: only some can write, everyone can read
- Private relay: restricted read and write
- Open relay: everyone can read and write
- Updated config, docs, and comprehensive tests
Use cases: "only some can write, everyone can read"
Diffstat (limited to 'internal/config/README.md')
| -rw-r--r-- | internal/config/README.md | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/internal/config/README.md b/internal/config/README.md index dbb8760..7deb38f 100644 --- a/internal/config/README.md +++ b/internal/config/README.md | |||
| @@ -90,12 +90,25 @@ auth: | |||
| 90 | # Timestamp window in seconds for replay protection | 90 | # Timestamp window in seconds for replay protection |
| 91 | timestamp_window: 60 | 91 | timestamp_window: 60 |
| 92 | 92 | ||
| 93 | # Allowed npubs (optional, whitelist) | 93 | # Allowed npubs for read operations (optional, whitelist) |
| 94 | # If empty, all valid signatures are accepted | 94 | # If empty, all valid signatures are accepted for reads |
| 95 | # Use npub format only (e.g., npub1...) | 95 | # Use npub format only (e.g., npub1...) |
| 96 | allowed_npubs: [] | 96 | allowed_npubs_read: [] |
| 97 | |||
| 98 | # Allowed npubs for write operations (optional, whitelist) | ||
| 99 | # If empty, all valid signatures are accepted for writes | ||
| 100 | # Use npub format only (e.g., npub1...) | ||
| 101 | allowed_npubs_write: [] | ||
| 102 | |||
| 103 | # Example use cases: | ||
| 104 | # - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read) | ||
| 105 | # - Private relay: both lists populated (restricted read and write) | ||
| 106 | # - Open relay: both lists empty (everyone can read and write) | ||
| 107 | # | ||
| 97 | # Example: | 108 | # Example: |
| 98 | # allowed_npubs: | 109 | # allowed_npubs_read: |
| 110 | # - npub1a2b3c4d5e6f... | ||
| 111 | # allowed_npubs_write: | ||
| 99 | # - npub1a2b3c4d5e6f... | 112 | # - npub1a2b3c4d5e6f... |
| 100 | 113 | ||
| 101 | # Skip authentication for these methods | 114 | # Skip authentication for these methods |
| @@ -222,7 +235,8 @@ Complex types: | |||
| 222 | 235 | ||
| 223 | ```bash | 236 | ```bash |
| 224 | # Lists (comma-separated, npub format) | 237 | # Lists (comma-separated, npub format) |
| 225 | export MUXSTR_AUTH_ALLOWED_NPUBS="npub1...,npub1...,npub1..." | 238 | export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..." |
| 239 | export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..." | ||
| 226 | 240 | ||
| 227 | # Durations | 241 | # Durations |
| 228 | export MUXSTR_SERVER_READ_TIMEOUT="30s" | 242 | export MUXSTR_SERVER_READ_TIMEOUT="30s" |