refactor: restructure auth config for better UX

Changed from flat structure to hierarchical read/write config: Before: auth: enabled: bool required: bool allowed_npubs_read: [] allowed_npubs_write: [] After: auth: read: enabled: bool allowed_npubs: [] write: enabled: bool allowed_npubs: [] Three states per operation: - enabled=false: no auth, allow all - enabled=true, allowed_npubs=[]: auth required, any valid signature - enabled=true, allowed_npubs=[...]: auth required, whitelist only Much clearer semantics and easier to reason about.
author: bndw <ben@bdw.to> 2026-02-14 10:11:16 -0800
committer: bndw <ben@bdw.to> 2026-02-14 10:11:16 -0800
commit: 606e0a3329a3534a00889eee19c25e7d432f7d2d (patch)
tree: 526b1419eaa6b9b91126adbfa5990ec47f5d3a07 /internal/config/README.md
parent: a90009e6b887a8a7ca67f49566af2caffb807776 (diff)
1 files changed, 41 insertions, 29 deletions
diff --git a/internal/config/README.md b/internal/config/README.md
index 7deb38f..3dcf215 100644
--- a/internal/config/README.md
+++ b/internal/config/README.md
@@ -80,41 +80,51 @@ database:
 # Authentication configuration
 auth:
-  # Enable authentication
+  # Read authentication (Subscribe, QueryEvents, CountEvents)
-  enabled: false
+  read:
+    enabled: false          # false = no auth, allow all
-  # Require authentication for all requests
+    allowed_npubs: []       # npub format only (e.g., npub1...)
-  # If false, authentication is optional (pubkey available if provided)
+    # If enabled=false: no auth, allow all reads
-  required: false
+    # If enabled=true && allowed_npubs=[]: auth required, any valid signature accepted
+    # If enabled=true && allowed_npubs=[...]: auth required, only whitelisted npubs
+  # Write authentication (PublishEvent, PublishBatch)
+  write:
+    enabled: false
+    allowed_npubs: []
  # Timestamp window in seconds for replay protection
  timestamp_window: 60
-  # Allowed npubs for read operations (optional, whitelist)
-  # If empty, all valid signatures are accepted for reads
-  # Use npub format only (e.g., npub1...)
-  allowed_npubs_read: []
-  # Allowed npubs for write operations (optional, whitelist)
-  # If empty, all valid signatures are accepted for writes
-  # Use npub format only (e.g., npub1...)
-  allowed_npubs_write: []
-  # Example use cases:
-  # - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read)
-  # - Private relay: both lists populated (restricted read and write)
-  # - Open relay: both lists empty (everyone can read and write)
-  #
-  # Example:
-  # allowed_npubs_read:
-  #   - npub1a2b3c4d5e6f...
-  # allowed_npubs_write:
-  #   - npub1a2b3c4d5e6f...
  # Skip authentication for these methods
  skip_methods:
    - "/grpc.health.v1.Health/Check"
+# Common patterns:
+# Public relay (anyone can read, only whitelisted can write):
+#   read:
+#     enabled: false
+#   write:
+#     enabled: true
+#     allowed_npubs:
+#       - npub1...
+#
+# Private relay (whitelisted read and write):
+#   read:
+#     enabled: true
+#     allowed_npubs:
+#       - npub1...
+#   write:
+#     enabled: true
+#     allowed_npubs:
+#       - npub1...
+#
+# Open relay (everyone can read and write):
+#   read:
+#     enabled: false
+#   write:
+#     enabled: false
 # Rate limiting configuration
 rate_limit:
  # Enable rate limiting
@@ -235,8 +245,10 @@ Complex types:
 ```bash
 # Lists (comma-separated, npub format)
-export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..."
+export MUXSTR_AUTH_READ_ENABLED=true
-export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..."
+export MUXSTR_AUTH_READ_ALLOWED_NPUBS="npub1...,npub1..."
+export MUXSTR_AUTH_WRITE_ENABLED=true
+export MUXSTR_AUTH_WRITE_ALLOWED_NPUBS="npub1..."
 # Durations
 export MUXSTR_SERVER_READ_TIMEOUT="30s"
author	bndw <ben@bdw.to>	2026-02-14 10:11:16 -0800
committer	bndw <ben@bdw.to>	2026-02-14 10:11:16 -0800
commit	606e0a3329a3534a00889eee19c25e7d432f7d2d (patch)
tree	526b1419eaa6b9b91126adbfa5990ec47f5d3a07 /internal/config/README.md
parent	a90009e6b887a8a7ca67f49566af2caffb807776 (diff)

diff --git a/internal/config/README.md b/internal/config/README.md index 7deb38f..3dcf215 100644 --- a/internal/config/README.md +++ b/internal/config/README.md
@@ -80,41 +80,51 @@ database:
80		80
81	# Authentication configuration	81	# Authentication configuration
82	auth:	82	auth:
83	# Enable authentication	83	# Read authentication (Subscribe, QueryEvents, CountEvents)
84	enabled: false	84	read:
85		85	enabled: false # false = no auth, allow all
86	# Require authentication for all requests	86	allowed_npubs: [] # npub format only (e.g., npub1...)
87	# If false, authentication is optional (pubkey available if provided)	87	# If enabled=false: no auth, allow all reads
88	required: false	88	# If enabled=true && allowed_npubs=[]: auth required, any valid signature accepted
		89	# If enabled=true && allowed_npubs=[...]: auth required, only whitelisted npubs
		90
		91	# Write authentication (PublishEvent, PublishBatch)
		92	write:
		93	enabled: false
		94	allowed_npubs: []
89		95
90	# Timestamp window in seconds for replay protection	96	# Timestamp window in seconds for replay protection
91	timestamp_window: 60	97	timestamp_window: 60
92		98
93	# Allowed npubs for read operations (optional, whitelist)
94	# If empty, all valid signatures are accepted for reads
95	# Use npub format only (e.g., npub1...)
96	allowed_npubs_read: []
97
98	# Allowed npubs for write operations (optional, whitelist)
99	# If empty, all valid signatures are accepted for writes
100	# Use npub format only (e.g., npub1...)
101	allowed_npubs_write: []
102
103	# Example use cases:
104	# - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read)
105	# - Private relay: both lists populated (restricted read and write)
106	# - Open relay: both lists empty (everyone can read and write)
107	#
108	# Example:
109	# allowed_npubs_read:
110	# - npub1a2b3c4d5e6f...
111	# allowed_npubs_write:
112	# - npub1a2b3c4d5e6f...
113
114	# Skip authentication for these methods	99	# Skip authentication for these methods
115	skip_methods:	100	skip_methods:
116	- "/grpc.health.v1.Health/Check"	101	- "/grpc.health.v1.Health/Check"
117		102
		103	# Common patterns:
		104	# Public relay (anyone can read, only whitelisted can write):
		105	# read:
		106	# enabled: false
		107	# write:
		108	# enabled: true
		109	# allowed_npubs:
		110	# - npub1...
		111	#
		112	# Private relay (whitelisted read and write):
		113	# read:
		114	# enabled: true
		115	# allowed_npubs:
		116	# - npub1...
		117	# write:
		118	# enabled: true
		119	# allowed_npubs:
		120	# - npub1...
		121	#
		122	# Open relay (everyone can read and write):
		123	# read:
		124	# enabled: false
		125	# write:
		126	# enabled: false
		127
118	# Rate limiting configuration	128	# Rate limiting configuration
119	rate_limit:	129	rate_limit:
120	# Enable rate limiting	130	# Enable rate limiting
@@ -235,8 +245,10 @@ Complex types:
235		245
236	```bash	246	```bash
237	# Lists (comma-separated, npub format)	247	# Lists (comma-separated, npub format)
238	export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..."	248	export MUXSTR_AUTH_READ_ENABLED=true
239	export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..."	249	export MUXSTR_AUTH_READ_ALLOWED_NPUBS="npub1...,npub1..."
		250	export MUXSTR_AUTH_WRITE_ENABLED=true
		251	export MUXSTR_AUTH_WRITE_ALLOWED_NPUBS="npub1..."
240		252
241	# Durations	253	# Durations
242	export MUXSTR_SERVER_READ_TIMEOUT="30s"	254	export MUXSTR_SERVER_READ_TIMEOUT="30s"