feat: add separate read/write allowlists for granular access control

- Split allowed_npubs into allowed_npubs_read and allowed_npubs_write - Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put - Read operations: everything else (Query, Subscribe, Get, List, etc.) - Auth interceptor checks appropriate list based on method type - Enables common patterns: - Public relay: only some can write, everyone can read - Private relay: restricted read and write - Open relay: everyone can read and write - Updated config, docs, and comprehensive tests Use cases: "only some can write, everyone can read"
author: bndw <ben@bdw.to> 2026-02-14 10:02:52 -0800
committer: bndw <ben@bdw.to> 2026-02-14 10:02:52 -0800
commit: 5d21632ea70e1c7de7becb7ab6227b06b1535a83 (patch)
tree: e63bcbe8cdf7dc888ca0e3476ad529690a0a44a8 /internal/config
parent: d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (diff)
3 files changed, 158 insertions, 54 deletions
diff --git a/internal/config/README.md b/internal/config/README.md
index dbb8760..7deb38f 100644
--- a/internal/config/README.md
+++ b/internal/config/README.md
@@ -90,12 +90,25 @@ auth:
  # Timestamp window in seconds for replay protection
  timestamp_window: 60
-  # Allowed npubs (optional, whitelist)
+  # Allowed npubs for read operations (optional, whitelist)
-  # If empty, all valid signatures are accepted
+  # If empty, all valid signatures are accepted for reads
  # Use npub format only (e.g., npub1...)
-  allowed_npubs: []
+  allowed_npubs_read: []
+  # Allowed npubs for write operations (optional, whitelist)
+  # If empty, all valid signatures are accepted for writes
+  # Use npub format only (e.g., npub1...)
+  allowed_npubs_write: []
+  # Example use cases:
+  # - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read)
+  # - Private relay: both lists populated (restricted read and write)
+  # - Open relay: both lists empty (everyone can read and write)
+  #
  # Example:
-  # allowed_npubs:
+  # allowed_npubs_read:
+  #   - npub1a2b3c4d5e6f...
+  # allowed_npubs_write:
  #   - npub1a2b3c4d5e6f...
  # Skip authentication for these methods
@@ -222,7 +235,8 @@ Complex types:
 ```bash
 # Lists (comma-separated, npub format)
-export MUXSTR_AUTH_ALLOWED_NPUBS="npub1...,npub1...,npub1..."
+export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..."
+export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..."
 # Durations
 export MUXSTR_SERVER_READ_TIMEOUT="30s"
diff --git a/internal/config/config.go b/internal/config/config.go
index 0566537..3e52272 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -39,11 +39,12 @@ type DatabaseConfig struct {
 // AuthConfig holds authentication configuration.
 type AuthConfig struct {
-        Enabled         bool     `yaml:"enabled"`
+        Enabled          bool     `yaml:"enabled"`
-        Required        bool     `yaml:"required"`
+        Required         bool     `yaml:"required"`
-        TimestampWindow int64    `yaml:"timestamp_window"`
+        TimestampWindow  int64    `yaml:"timestamp_window"`
-        AllowedNpubs    []string `yaml:"allowed_npubs"`  // npub format only (bech32) - normalized to hex internally
+        AllowedNpubsRead []string `yaml:"allowed_npubs_read"`  // npub format only (bech32) - normalized to hex internally
-        SkipMethods     []string `yaml:"skip_methods"`
+        AllowedNpubsWrite []string `yaml:"allowed_npubs_write"` // npub format only (bech32) - normalized to hex internally
+        SkipMethods      []string `yaml:"skip_methods"`
 }
 // RateLimitConfig holds rate limiting configuration.
@@ -180,12 +181,31 @@ func Load(filename string) (*Config, error) {
 // Config only accepts npub format (human-readable), which is converted
 // to hex format (computer-readable) for internal use.
 func normalizeNpubs(cfg *Config) error {
-        if len(cfg.Auth.AllowedNpubs) == 0 {
+        var err error
-                return nil
+        // Normalize read allowlist
+        cfg.Auth.AllowedNpubsRead, err = normalizeNpubList(cfg.Auth.AllowedNpubsRead)
+        if err != nil {
+                return fmt.Errorf("allowed_npubs_read: %w", err)
+        }
+        // Normalize write allowlist
+        cfg.Auth.AllowedNpubsWrite, err = normalizeNpubList(cfg.Auth.AllowedNpubsWrite)
+        if err != nil {
+                return fmt.Errorf("allowed_npubs_write: %w", err)
+        }
+        return nil
+}
+// normalizeNpubList converts a list of npubs to hex pubkeys.
+func normalizeNpubList(npubs []string) ([]string, error) {
+        if len(npubs) == 0 {
+                return nil, nil
        }
-        normalized := make([]string, 0, len(cfg.Auth.AllowedNpubs))
+        normalized := make([]string, 0, len(npubs))
-        for _, npub := range cfg.Auth.AllowedNpubs {
+        for _, npub := range npubs {
                // Skip empty strings
                npub = strings.TrimSpace(npub)
                if npub == "" {
@@ -194,21 +214,20 @@ func normalizeNpubs(cfg *Config) error {
                // Validate npub format
                if !strings.HasPrefix(npub, "npub1") {
-                        return fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)
+                        return nil, fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)
                }
                // Parse npub to get hex pubkey
                key, err := nostr.ParsePublicKey(npub)
                if err != nil {
-                        return fmt.Errorf("invalid npub %q: %w", npub, err)
+                        return nil, fmt.Errorf("invalid npub %q: %w", npub, err)
                }
                // Get the hex representation for internal use
                normalized = append(normalized, key.Public())
        }
-        cfg.Auth.AllowedNpubs = normalized
+        return normalized, nil
-        return nil
 }
 // Validate validates the configuration.
@@ -292,8 +311,11 @@ func applyEnvOverrides(cfg *Config) {
                        cfg.Auth.TimestampWindow = n
                }
        }
-        if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS"); val != "" {
+        if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS_READ"); val != "" {
-                cfg.Auth.AllowedNpubs = strings.Split(val, ",")
+                cfg.Auth.AllowedNpubsRead = strings.Split(val, ",")
+        }
+        if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS_WRITE"); val != "" {
+                cfg.Auth.AllowedNpubsWrite = strings.Split(val, ",")
        }
        // Rate limit
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 5fa159e..c0d4555 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -260,9 +260,11 @@ database:
 auth:
  enabled: true
-  allowed_npubs:
+  allowed_npubs_read:
    - npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
    - npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft
+  allowed_npubs_write:
+    - npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
 `
        if _, err := tmpfile.Write([]byte(configData)); err != nil {
@@ -275,18 +277,32 @@ auth:
                t.Fatalf("failed to load config: %v", err)
        }
-        // Verify npubs were normalized to hex
+        // Verify read npubs were normalized to hex
-        if len(cfg.Auth.AllowedNpubs) != 2 {
+        if len(cfg.Auth.AllowedNpubsRead) != 2 {
-                t.Errorf("expected 2 allowed npubs, got %d", len(cfg.Auth.AllowedNpubs))
+                t.Errorf("expected 2 allowed npubs for read, got %d", len(cfg.Auth.AllowedNpubsRead))
+        }
+        // Verify write npubs were normalized to hex
+        if len(cfg.Auth.AllowedNpubsWrite) != 1 {
+                t.Errorf("expected 1 allowed npub for write, got %d", len(cfg.Auth.AllowedNpubsWrite))
        }
        // Check that they're hex format (64 chars, not npub1...)
-        for i, pubkey := range cfg.Auth.AllowedNpubs {
+        for i, pubkey := range cfg.Auth.AllowedNpubsRead {
+                if len(pubkey) != 64 {
+                        t.Errorf("read npub %d: expected 64 hex chars, got %d", i, len(pubkey))
+                }
+                if len(pubkey) >= 5 && pubkey[:5] == "npub1" {
+                        t.Errorf("read npub %d: should be normalized to hex, still in npub format", i)
+                }
+        }
+        for i, pubkey := range cfg.Auth.AllowedNpubsWrite {
                if len(pubkey) != 64 {
-                        t.Errorf("npub %d: expected 64 hex chars, got %d", i, len(pubkey))
+                        t.Errorf("write npub %d: expected 64 hex chars, got %d", i, len(pubkey))
                }
-                if pubkey[:5] == "npub1" {
+                if len(pubkey) >= 5 && pubkey[:5] == "npub1" {
-                        t.Errorf("npub %d: should be normalized to hex, still in npub format", i)
+                        t.Errorf("write npub %d: should be normalized to hex, still in npub format", i)
                }
        }
@@ -294,46 +310,98 @@ auth:
        expectedHex1 := "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
        expectedHex2 := "fa984bd7dbb282f07e16e7ae87b26a2a7b9b90b7246a44771f0cf5ae58018f52"
-        if cfg.Auth.AllowedNpubs[0] != expectedHex1 {
+        if cfg.Auth.AllowedNpubsRead[0] != expectedHex1 {
-                t.Errorf("npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubs[0])
+                t.Errorf("read npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubsRead[0])
+        }
+        if cfg.Auth.AllowedNpubsRead[1] != expectedHex2 {
+                t.Errorf("read npub 1: expected %s, got %s", expectedHex2, cfg.Auth.AllowedNpubsRead[1])
        }
-        if cfg.Auth.AllowedNpubs[1] != expectedHex2 {
+        if cfg.Auth.AllowedNpubsWrite[0] != expectedHex1 {
-                t.Errorf("npub 1: expected %s, got %s", expectedHex2, cfg.Auth.AllowedNpubs[1])
+                t.Errorf("write npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubsWrite[0])
        }
 }
 func TestNpubValidation(t *testing.T) {
-        tmpfile, err := os.CreateTemp("", "config-*.yaml")
+        tests := []struct {
-        if err != nil {
+                name        string
-                t.Fatal(err)
+                config      string
-        }
+                expectError bool
-        defer os.Remove(tmpfile.Name())
+                errorMsg    string
+        }{
-        // Invalid: hex format instead of npub
+                {
-        configData := `
+                        name: "invalid hex in read list",
+                        config: `
 server:
  grpc_addr: ":50051"
  http_addr: ":8080"
 database:
  path: "test.db"
 auth:
-  allowed_npubs:
+  allowed_npubs_read:
    - 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
-`
+`,
+                        expectError: true,
-        if _, err := tmpfile.Write([]byte(configData)); err != nil {
+                        errorMsg:    "must start with 'npub1'",
-                t.Fatal(err)
+                },
+                {
+                        name: "invalid hex in write list",
+                        config: `
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+database:
+  path: "test.db"
+auth:
+  allowed_npubs_write:
+    - 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
+`,
+                        expectError: true,
+                        errorMsg:    "must start with 'npub1'",
+                },
+                {
+                        name: "valid npub lists",
+                        config: `
+server:
+  grpc_addr: ":50051"
+  http_addr: ":8080"
+database:
+  path: "test.db"
+auth:
+  allowed_npubs_read:
+    - npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
+  allowed_npubs_write:
+    - npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft
+`,
+                        expectError: false,
+                },
        }
-        tmpfile.Close()
-        _, err = Load(tmpfile.Name())
+        for _, tt := range tests {
-        if err == nil {
+                t.Run(tt.name, func(t *testing.T) {
-                t.Error("expected error for hex format in allowed_npubs, got nil")
+                        tmpfile, err := os.CreateTemp("", "config-*.yaml")
-        }
+                        if err != nil {
-        if err != nil && !strings.Contains(err.Error(), "must start with 'npub1'") {
+                                t.Fatal(err)
-                t.Errorf("expected 'must start with npub1' error, got: %v", err)
+                        }
+                        defer os.Remove(tmpfile.Name())
+                        if _, err := tmpfile.Write([]byte(tt.config)); err != nil {
+                                t.Fatal(err)
+                        }
+                        tmpfile.Close()
+                        _, err = Load(tmpfile.Name())
+                        if tt.expectError {
+                                if err == nil {
+                                        t.Error("expected error, got nil")
+                                } else if !strings.Contains(err.Error(), tt.errorMsg) {
+                                        t.Errorf("expected error containing %q, got: %v", tt.errorMsg, err)
+                                }
+                        } else {
+                                if err != nil {
+                                        t.Errorf("unexpected error: %v", err)
+                                }
+                        }
+                })
        }
 }
author	bndw <ben@bdw.to>	2026-02-14 10:02:52 -0800
committer	bndw <ben@bdw.to>	2026-02-14 10:02:52 -0800
commit	5d21632ea70e1c7de7becb7ab6227b06b1535a83 (patch)
tree	e63bcbe8cdf7dc888ca0e3476ad529690a0a44a8 /internal/config
parent	d30459513ec44ab298fafd1bfe0edc08d6ab62e4 (diff)

diff --git a/internal/config/README.md b/internal/config/README.md index dbb8760..7deb38f 100644 --- a/internal/config/README.md +++ b/internal/config/README.md
@@ -90,12 +90,25 @@ auth:
90	# Timestamp window in seconds for replay protection	90	# Timestamp window in seconds for replay protection
91	timestamp_window: 60	91	timestamp_window: 60
92		92
93	# Allowed npubs (optional, whitelist)	93	# Allowed npubs for read operations (optional, whitelist)
94	# If empty, all valid signatures are accepted	94	# If empty, all valid signatures are accepted for reads
95	# Use npub format only (e.g., npub1...)	95	# Use npub format only (e.g., npub1...)
96	allowed_npubs: []	96	allowed_npubs_read: []
		97
		98	# Allowed npubs for write operations (optional, whitelist)
		99	# If empty, all valid signatures are accepted for writes
		100	# Use npub format only (e.g., npub1...)
		101	allowed_npubs_write: []
		102
		103	# Example use cases:
		104	# - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read)
		105	# - Private relay: both lists populated (restricted read and write)
		106	# - Open relay: both lists empty (everyone can read and write)
		107	#
97	# Example:	108	# Example:
98	# allowed_npubs:	109	# allowed_npubs_read:
		110	# - npub1a2b3c4d5e6f...
		111	# allowed_npubs_write:
99	# - npub1a2b3c4d5e6f...	112	# - npub1a2b3c4d5e6f...
100		113
101	# Skip authentication for these methods	114	# Skip authentication for these methods
@@ -222,7 +235,8 @@ Complex types:
222		235
223	```bash	236	```bash
224	# Lists (comma-separated, npub format)	237	# Lists (comma-separated, npub format)
225	export MUXSTR_AUTH_ALLOWED_NPUBS="npub1...,npub1...,npub1..."	238	export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..."
		239	export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..."
226		240
227	# Durations	241	# Durations
228	export MUXSTR_SERVER_READ_TIMEOUT="30s"	242	export MUXSTR_SERVER_READ_TIMEOUT="30s"


diff --git a/internal/config/config.go b/internal/config/config.go index 0566537..3e52272 100644 --- a/internal/config/config.go +++ b/internal/config/config.go
@@ -39,11 +39,12 @@ type DatabaseConfig struct {
39		39
40	// AuthConfig holds authentication configuration.	40	// AuthConfig holds authentication configuration.
41	type AuthConfig struct {	41	type AuthConfig struct {
42	Enabled bool `yaml:"enabled"`	42	Enabled bool `yaml:"enabled"`
43	Required bool `yaml:"required"`	43	Required bool `yaml:"required"`
44	TimestampWindow int64 `yaml:"timestamp_window"`	44	TimestampWindow int64 `yaml:"timestamp_window"`
45	AllowedNpubs []string `yaml:"allowed_npubs"` // npub format only (bech32) - normalized to hex internally	45	AllowedNpubsRead []string `yaml:"allowed_npubs_read"` // npub format only (bech32) - normalized to hex internally
46	SkipMethods []string `yaml:"skip_methods"`	46	AllowedNpubsWrite []string `yaml:"allowed_npubs_write"` // npub format only (bech32) - normalized to hex internally
		47	SkipMethods []string `yaml:"skip_methods"`
47	}	48	}
48		49
49	// RateLimitConfig holds rate limiting configuration.	50	// RateLimitConfig holds rate limiting configuration.
@@ -180,12 +181,31 @@ func Load(filename string) (*Config, error) {
180	// Config only accepts npub format (human-readable), which is converted	181	// Config only accepts npub format (human-readable), which is converted
181	// to hex format (computer-readable) for internal use.	182	// to hex format (computer-readable) for internal use.
182	func normalizeNpubs(cfg *Config) error {	183	func normalizeNpubs(cfg *Config) error {
183	if len(cfg.Auth.AllowedNpubs) == 0 {	184	var err error
184	return nil	185
		186	// Normalize read allowlist
		187	cfg.Auth.AllowedNpubsRead, err = normalizeNpubList(cfg.Auth.AllowedNpubsRead)
		188	if err != nil {
		189	return fmt.Errorf("allowed_npubs_read: %w", err)
		190	}
		191
		192	// Normalize write allowlist
		193	cfg.Auth.AllowedNpubsWrite, err = normalizeNpubList(cfg.Auth.AllowedNpubsWrite)
		194	if err != nil {
		195	return fmt.Errorf("allowed_npubs_write: %w", err)
		196	}
		197
		198	return nil
		199	}
		200
		201	// normalizeNpubList converts a list of npubs to hex pubkeys.
		202	func normalizeNpubList(npubs []string) ([]string, error) {
		203	if len(npubs) == 0 {
		204	return nil, nil
185	}	205	}
186		206
187	normalized := make([]string, 0, len(cfg.Auth.AllowedNpubs))	207	normalized := make([]string, 0, len(npubs))
188	for _, npub := range cfg.Auth.AllowedNpubs {	208	for _, npub := range npubs {
189	// Skip empty strings	209	// Skip empty strings
190	npub = strings.TrimSpace(npub)	210	npub = strings.TrimSpace(npub)
191	if npub == "" {	211	if npub == "" {
@@ -194,21 +214,20 @@ func normalizeNpubs(cfg *Config) error {
194		214
195	// Validate npub format	215	// Validate npub format
196	if !strings.HasPrefix(npub, "npub1") {	216	if !strings.HasPrefix(npub, "npub1") {
197	return fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)	217	return nil, fmt.Errorf("invalid npub format %q: must start with 'npub1'", npub)
198	}	218	}
199		219
200	// Parse npub to get hex pubkey	220	// Parse npub to get hex pubkey
201	key, err := nostr.ParsePublicKey(npub)	221	key, err := nostr.ParsePublicKey(npub)
202	if err != nil {	222	if err != nil {
203	return fmt.Errorf("invalid npub %q: %w", npub, err)	223	return nil, fmt.Errorf("invalid npub %q: %w", npub, err)
204	}	224	}
205		225
206	// Get the hex representation for internal use	226	// Get the hex representation for internal use
207	normalized = append(normalized, key.Public())	227	normalized = append(normalized, key.Public())
208	}	228	}
209		229
210	cfg.Auth.AllowedNpubs = normalized	230	return normalized, nil
211	return nil
212	}	231	}
213		232
214	// Validate validates the configuration.	233	// Validate validates the configuration.
@@ -292,8 +311,11 @@ func applyEnvOverrides(cfg *Config) {
292	cfg.Auth.TimestampWindow = n	311	cfg.Auth.TimestampWindow = n
293	}	312	}
294	}	313	}
295	if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS"); val != "" {	314	if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS_READ"); val != "" {
296	cfg.Auth.AllowedNpubs = strings.Split(val, ",")	315	cfg.Auth.AllowedNpubsRead = strings.Split(val, ",")
		316	}
		317	if val := os.Getenv("MUXSTR_AUTH_ALLOWED_NPUBS_WRITE"); val != "" {
		318	cfg.Auth.AllowedNpubsWrite = strings.Split(val, ",")
297	}	319	}
298		320
299	// Rate limit	321	// Rate limit


diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 5fa159e..c0d4555 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go
@@ -260,9 +260,11 @@ database:
260		260
261	auth:	261	auth:
262	enabled: true	262	enabled: true
263	allowed_npubs:	263	allowed_npubs_read:
264	- npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6	264	- npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
265	- npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft	265	- npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft
		266	allowed_npubs_write:
		267	- npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
266	`	268	`
267		269
268	if _, err := tmpfile.Write([]byte(configData)); err != nil {	270	if _, err := tmpfile.Write([]byte(configData)); err != nil {
@@ -275,18 +277,32 @@ auth:
275	t.Fatalf("failed to load config: %v", err)	277	t.Fatalf("failed to load config: %v", err)
276	}	278	}
277		279
278	// Verify npubs were normalized to hex	280	// Verify read npubs were normalized to hex
279	if len(cfg.Auth.AllowedNpubs) != 2 {	281	if len(cfg.Auth.AllowedNpubsRead) != 2 {
280	t.Errorf("expected 2 allowed npubs, got %d", len(cfg.Auth.AllowedNpubs))	282	t.Errorf("expected 2 allowed npubs for read, got %d", len(cfg.Auth.AllowedNpubsRead))
		283	}
		284
		285	// Verify write npubs were normalized to hex
		286	if len(cfg.Auth.AllowedNpubsWrite) != 1 {
		287	t.Errorf("expected 1 allowed npub for write, got %d", len(cfg.Auth.AllowedNpubsWrite))
281	}	288	}
282		289
283	// Check that they're hex format (64 chars, not npub1...)	290	// Check that they're hex format (64 chars, not npub1...)
284	for i, pubkey := range cfg.Auth.AllowedNpubs {	291	for i, pubkey := range cfg.Auth.AllowedNpubsRead {
		292	if len(pubkey) != 64 {
		293	t.Errorf("read npub %d: expected 64 hex chars, got %d", i, len(pubkey))
		294	}
		295	if len(pubkey) >= 5 && pubkey[:5] == "npub1" {
		296	t.Errorf("read npub %d: should be normalized to hex, still in npub format", i)
		297	}
		298	}
		299
		300	for i, pubkey := range cfg.Auth.AllowedNpubsWrite {
285	if len(pubkey) != 64 {	301	if len(pubkey) != 64 {
286	t.Errorf("npub %d: expected 64 hex chars, got %d", i, len(pubkey))	302	t.Errorf("write npub %d: expected 64 hex chars, got %d", i, len(pubkey))
287	}	303	}
288	if pubkey[:5] == "npub1" {	304	if len(pubkey) >= 5 && pubkey[:5] == "npub1" {
289	t.Errorf("npub %d: should be normalized to hex, still in npub format", i)	305	t.Errorf("write npub %d: should be normalized to hex, still in npub format", i)
290	}	306	}
291	}	307	}
292		308
@@ -294,46 +310,98 @@ auth:
294	expectedHex1 := "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"	310	expectedHex1 := "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
295	expectedHex2 := "fa984bd7dbb282f07e16e7ae87b26a2a7b9b90b7246a44771f0cf5ae58018f52"	311	expectedHex2 := "fa984bd7dbb282f07e16e7ae87b26a2a7b9b90b7246a44771f0cf5ae58018f52"
296		312
297	if cfg.Auth.AllowedNpubs[0] != expectedHex1 {	313	if cfg.Auth.AllowedNpubsRead[0] != expectedHex1 {
298	t.Errorf("npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubs[0])	314	t.Errorf("read npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubsRead[0])
		315	}
		316	if cfg.Auth.AllowedNpubsRead[1] != expectedHex2 {
		317	t.Errorf("read npub 1: expected %s, got %s", expectedHex2, cfg.Auth.AllowedNpubsRead[1])
299	}	318	}
300	if cfg.Auth.AllowedNpubs[1] != expectedHex2 {	319	if cfg.Auth.AllowedNpubsWrite[0] != expectedHex1 {
301	t.Errorf("npub 1: expected %s, got %s", expectedHex2, cfg.Auth.AllowedNpubs[1])	320	t.Errorf("write npub 0: expected %s, got %s", expectedHex1, cfg.Auth.AllowedNpubsWrite[0])
302	}	321	}
303	}	322	}
304		323
305	func TestNpubValidation(t *testing.T) {	324	func TestNpubValidation(t *testing.T) {
306	tmpfile, err := os.CreateTemp("", "config-*.yaml")	325	tests := []struct {
307	if err != nil {	326	name string
308	t.Fatal(err)	327	config string
309	}	328	expectError bool
310	defer os.Remove(tmpfile.Name())	329	errorMsg string
311		330	}{
312	// Invalid: hex format instead of npub	331	{
313	configData := `	332	name: "invalid hex in read list",
		333	config: `
314	server:	334	server:
315	grpc_addr: ":50051"	335	grpc_addr: ":50051"
316	http_addr: ":8080"	336	http_addr: ":8080"
317
318	database:	337	database:
319	path: "test.db"	338	path: "test.db"
320
321	auth:	339	auth:
322	allowed_npubs:	340	allowed_npubs_read:
323	- 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d	341	- 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
324	`	342	`,
325		343	expectError: true,
326	if _, err := tmpfile.Write([]byte(configData)); err != nil {	344	errorMsg: "must start with 'npub1'",
327	t.Fatal(err)	345	},
		346	{
		347	name: "invalid hex in write list",
		348	config: `
		349	server:
		350	grpc_addr: ":50051"
		351	http_addr: ":8080"
		352	database:
		353	path: "test.db"
		354	auth:
		355	allowed_npubs_write:
		356	- 3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d
		357	`,
		358	expectError: true,
		359	errorMsg: "must start with 'npub1'",
		360	},
		361	{
		362	name: "valid npub lists",
		363	config: `
		364	server:
		365	grpc_addr: ":50051"
		366	http_addr: ":8080"
		367	database:
		368	path: "test.db"
		369	auth:
		370	allowed_npubs_read:
		371	- npub180cvv07tjdrrgpa0j7j7tmnyl2yr6yr7l8j4s3evf6u64th6gkwsyjh6w6
		372	allowed_npubs_write:
		373	- npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft
		374	`,
		375	expectError: false,
		376	},
328	}	377	}
329	tmpfile.Close()
330		378
331	_, err = Load(tmpfile.Name())	379	for _, tt := range tests {
332	if err == nil {	380	t.Run(tt.name, func(t *testing.T) {
333	t.Error("expected error for hex format in allowed_npubs, got nil")	381	tmpfile, err := os.CreateTemp("", "config-*.yaml")
334	}	382	if err != nil {
335	if err != nil && !strings.Contains(err.Error(), "must start with 'npub1'") {	383	t.Fatal(err)
336	t.Errorf("expected 'must start with npub1' error, got: %v", err)	384	}
		385	defer os.Remove(tmpfile.Name())
		386
		387	if _, err := tmpfile.Write([]byte(tt.config)); err != nil {
		388	t.Fatal(err)
		389	}
		390	tmpfile.Close()
		391
		392	_, err = Load(tmpfile.Name())
		393	if tt.expectError {
		394	if err == nil {
		395	t.Error("expected error, got nil")
		396	} else if !strings.Contains(err.Error(), tt.errorMsg) {
		397	t.Errorf("expected error containing %q, got: %v", tt.errorMsg, err)
		398	}
		399	} else {
		400	if err != nil {
		401	t.Errorf("unexpected error: %v", err)
		402	}
		403	}
		404	})
337	}	405	}
338	}	406	}
339		407