From 5d21632ea70e1c7de7becb7ab6227b06b1535a83 Mon Sep 17 00:00:00 2001 From: bndw Date: Sat, 14 Feb 2026 10:02:52 -0800 Subject: feat: add separate read/write allowlists for granular access control - Split allowed_npubs into allowed_npubs_read and allowed_npubs_write - Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put - Read operations: everything else (Query, Subscribe, Get, List, etc.) - Auth interceptor checks appropriate list based on method type - Enables common patterns: - Public relay: only some can write, everyone can read - Private relay: restricted read and write - Open relay: everyone can read and write - Updated config, docs, and comprehensive tests Use cases: "only some can write, everyone can read" --- internal/auth/auth_test.go | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'internal/auth/auth_test.go') diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index 1f0efee..7a0da19 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -304,3 +304,41 @@ func TestHashPayload(t *testing.T) { t.Error("different payloads produced same hash") } } + +func TestIsWriteMethod(t *testing.T) { + tests := []struct { + method string + want bool + }{ + // Write methods + {"/nostr.v1.NostrRelay/PublishEvent", true}, + {"/nostr.v1.NostrRelay/DeleteEvent", true}, + {"/admin.v1.Admin/CreateUser", true}, + {"/admin.v1.Admin/UpdateSettings", true}, + {"/data.v1.Data/InsertRecord", true}, + {"/data.v1.Data/RemoveItem", true}, + {"/storage.v1.Storage/SetValue", true}, + {"/storage.v1.Storage/PutObject", true}, + + // Read methods + {"/nostr.v1.NostrRelay/QueryEvents", false}, + {"/nostr.v1.NostrRelay/Subscribe", false}, + {"/nostr.v1.NostrRelay/GetEvent", false}, + {"/admin.v1.Admin/ListUsers", false}, + {"/health.v1.Health/Check", false}, + {"/info.v1.Info/GetRelayInfo", false}, + + // Edge cases + {"", false}, + {"/", false}, + } + + for _, tt := range tests { + t.Run(tt.method, func(t *testing.T) { + got := isWriteMethod(tt.method) + if got != tt.want { + t.Errorf("isWriteMethod(%q) = %v, want %v", tt.method, got, tt.want) + } + }) + } +} -- cgit v1.2.3