From 606e0a3329a3534a00889eee19c25e7d432f7d2d Mon Sep 17 00:00:00 2001
From: bndw <ben@bdw.to>
Date: Sat, 14 Feb 2026 10:11:16 -0800
Subject: refactor: restructure auth config for better UX

Changed from flat structure to hierarchical read/write config:

Before:
  auth:
    enabled: bool
    required: bool
    allowed_npubs_read: []
    allowed_npubs_write: []

After:
  auth:
    read:
      enabled: bool
      allowed_npubs: []
    write:
      enabled: bool
      allowed_npubs: []

Three states per operation:
- enabled=false: no auth, allow all
- enabled=true, allowed_npubs=[]: auth required, any valid signature
- enabled=true, allowed_npubs=[...]: auth required, whitelist only

Much clearer semantics and easier to reason about.
---
 internal/auth/auth_test.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'internal/auth/auth_test.go')

diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index d5f3257..bcbb4a3 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -243,8 +243,15 @@ func TestValidateAuthFromContext(t *testing.T) {
 	ctx := metadata.NewIncomingContext(context.Background(), md)
 
 	opts := &InterceptorOptions{
+		Read: OperationAuthConfig{
+			Enabled:      true,
+			AllowedNpubs: nil,
+		},
+		Write: OperationAuthConfig{
+			Enabled:      true,
+			AllowedNpubs: nil,
+		},
 		TimestampWindow: 60,
-		Required:        true,
 	}
 
 	pubkey, err := validateAuthFromContext(ctx, "/test.Service/Method", opts)
-- 
cgit v1.2.3