feat: rename allowed_pubkeys to allowed_npubs with normalization

- Config now accepts npub format only (human-readable) - Automatically converts npubs to hex pubkeys at load time - Updated InterceptorOptions.AllowedPubkeys -> AllowedNpubs - Added validation to reject hex format in config (npub only) - Updated documentation to clarify npub-only config - Added comprehensive tests for npub normalization Config is for humans (npub), internal code uses hex pubkeys.
author: bndw <ben@bdw.to> 2026-02-14 09:58:28 -0800
committer: bndw <ben@bdw.to> 2026-02-14 09:58:28 -0800
commit: d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (patch)
tree: 1e4442f940c11544cd60b6bf72f2038338da67ce /internal/config/config.go
parent: fe3708eaf495613cc6e2340b821795f25811d6ed (diff)
1 files changed, 44 insertions, 3 deletions
diff --git a/internal/config/config.go b/internal/config/config.go
index 91e79f7..0566537 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -6,6 +6,7 @@ import (
        "strings"
        "time"
+        "northwest.io/muxstr/internal/nostr"
        "gopkg.in/yaml.v3"
 )
@@ -41,7 +42,7 @@ type AuthConfig struct {
        Enabled         bool     `yaml:"enabled"`
        Required        bool     `yaml:"required"`
        TimestampWindow int64    `yaml:"timestamp_window"`
-        AllowedPubkeys  []string `yaml:"allowed_pubkeys"`
+        AllowedNpubs    []string `yaml:"allowed_npubs"`  // npub format only (bech32) - normalized to hex internally
        SkipMethods     []string `yaml:"skip_methods"`
 }
@@ -162,6 +163,11 @@ func Load(filename string) (*Config, error) {
        // Apply environment variable overrides
        applyEnvOverrides(cfg)
+        // Normalize npubs to hex pubkeys
+        if err := normalizeNpubs(cfg); err != nil {
+                return nil, fmt.Errorf("failed to normalize npubs: %w", err)
+        }
        // Validate
        if err := cfg.Validate(); err != nil {
                return nil, fmt.Errorf("invalid configuration: %w", err)
@@ -170,6 +176,41 @@ func Load(filename string) (*Config, error) {
        return cfg, nil
 }
+// normalizeNpubs converts all npub (bech32) pubkeys to hex format.
+// Config only accepts npub format (human-readable), which is converted
+// to hex format (computer-readable) for internal use.
+func normalizeNpubs(cfg *Config) error {
+        if len(cfg.Auth.AllowedNpubs) == 0 {
+                return nil
+        }
+        normalized := make([]string, 0, len(cfg.Auth.AllowedNpubs))
+        for _, npub := range cfg.Auth.AllowedNpubs {
+                // Skip empty strings
+                npub = strings.TrimSpace(npub)
+                if npub == "" {
+                        continue
+                }
+                // Validate npub format
+                if !strings.HasPrefix(npub, "npub1") {
+                        return fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)
+                }
+                // Parse npub to get hex pubkey
+                key, err := nostr.ParsePublicKey(npub)
+                if err != nil {
+                        return fmt.Errorf("invalid npub %q: %w", npub, err)
+                }
+                // Get the hex representation for internal use
+                normalized = append(normalized, key.Public())
+        }
+        cfg.Auth.AllowedNpubs = normalized
+        return nil
+}
 // Validate validates the configuration.
 func (c *Config) Validate() error {
        // Validate server addresses
@@ -251,8 +292,8 @@ func applyEnvOverrides(cfg *Config) {
                        cfg.Auth.TimestampWindow = n
                }
        }
-        if val := os.Getenv("MUXSTR_AUTH_ALLOWED_PUBKEYS"); val != "" {
+        if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS"); val != "" {
-                cfg.Auth.AllowedPubkeys = strings.Split(val, ",")
+                cfg.Auth.AllowedNpubs = strings.Split(val, ",")
        }
        // Rate limit
author	bndw <ben@bdw.to>	2026-02-14 09:58:28 -0800
committer	bndw <ben@bdw.to>	2026-02-14 09:58:28 -0800
commit	d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (patch)
tree	1e4442f940c11544cd60b6bf72f2038338da67ce /internal/config/config.go
parent	fe3708eaf495613cc6e2340b821795f25811d6ed (diff)

diff --git a/internal/config/config.go b/internal/config/config.go index 91e79f7..0566537 100644 --- a/internal/config/config.go +++ b/internal/config/config.go
@@ -6,6 +6,7 @@ import (
6	"strings"	6	"strings"
7	"time"	7	"time"
8		8
		9	"northwest.io/muxstr/internal/nostr"
9	"gopkg.in/yaml.v3"	10	"gopkg.in/yaml.v3"
10	)	11	)
11		12
@@ -41,7 +42,7 @@ type AuthConfig struct {
41	Enabled bool `yaml:"enabled"`	42	Enabled bool `yaml:"enabled"`
42	Required bool `yaml:"required"`	43	Required bool `yaml:"required"`
43	TimestampWindow int64 `yaml:"timestamp_window"`	44	TimestampWindow int64 `yaml:"timestamp_window"`
44	AllowedPubkeys []string `yaml:"allowed_pubkeys"`	45	AllowedNpubs []string `yaml:"allowed_npubs"` // npub format only (bech32) - normalized to hex internally
45	SkipMethods []string `yaml:"skip_methods"`	46	SkipMethods []string `yaml:"skip_methods"`
46	}	47	}
47		48
@@ -162,6 +163,11 @@ func Load(filename string) (*Config, error) {
162	// Apply environment variable overrides	163	// Apply environment variable overrides
163	applyEnvOverrides(cfg)	164	applyEnvOverrides(cfg)
164		165
		166	// Normalize npubs to hex pubkeys
		167	if err := normalizeNpubs(cfg); err != nil {
		168	return nil, fmt.Errorf("failed to normalize npubs: %w", err)
		169	}
		170
165	// Validate	171	// Validate
166	if err := cfg.Validate(); err != nil {	172	if err := cfg.Validate(); err != nil {
167	return nil, fmt.Errorf("invalid configuration: %w", err)	173	return nil, fmt.Errorf("invalid configuration: %w", err)
@@ -170,6 +176,41 @@ func Load(filename string) (*Config, error) {
170	return cfg, nil	176	return cfg, nil
171	}	177	}
172		178
		179	// normalizeNpubs converts all npub (bech32) pubkeys to hex format.
		180	// Config only accepts npub format (human-readable), which is converted
		181	// to hex format (computer-readable) for internal use.
		182	func normalizeNpubs(cfg *Config) error {
		183	if len(cfg.Auth.AllowedNpubs) == 0 {
		184	return nil
		185	}
		186
		187	normalized := make([]string, 0, len(cfg.Auth.AllowedNpubs))
		188	for _, npub := range cfg.Auth.AllowedNpubs {
		189	// Skip empty strings
		190	npub = strings.TrimSpace(npub)
		191	if npub == "" {
		192	continue
		193	}
		194
		195	// Validate npub format
		196	if !strings.HasPrefix(npub, "npub1") {
		197	return fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)
		198	}
		199
		200	// Parse npub to get hex pubkey
		201	key, err := nostr.ParsePublicKey(npub)
		202	if err != nil {
		203	return fmt.Errorf("invalid npub %q: %w", npub, err)
		204	}
		205
		206	// Get the hex representation for internal use
		207	normalized = append(normalized, key.Public())
		208	}
		209
		210	cfg.Auth.AllowedNpubs = normalized
		211	return nil
		212	}
		213
173	// Validate validates the configuration.	214	// Validate validates the configuration.
174	func (c *Config) Validate() error {	215	func (c *Config) Validate() error {
175	// Validate server addresses	216	// Validate server addresses
@@ -251,8 +292,8 @@ func applyEnvOverrides(cfg *Config) {
251	cfg.Auth.TimestampWindow = n	292	cfg.Auth.TimestampWindow = n
252	}	293	}
253	}	294	}
254	if val := os.Getenv("MUXSTR_AUTH_ALLOWED_PUBKEYS"); val != "" {	295	if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS"); val != "" {
255	cfg.Auth.AllowedPubkeys = strings.Split(val, ",")	296	cfg.Auth.AllowedNpubs = strings.Split(val, ",")
256	}	297	}
257		298
258	// Rate limit	299	// Rate limit