From d30459513ec44ab298fafd1bfe0edc08d6ab62e4 Mon Sep 17 00:00:00 2001 From: bndw Date: Sat, 14 Feb 2026 09:58:28 -0800 Subject: feat: rename allowed_pubkeys to allowed_npubs with normalization - Config now accepts npub format only (human-readable) - Automatically converts npubs to hex pubkeys at load time - Updated InterceptorOptions.AllowedPubkeys -> AllowedNpubs - Added validation to reject hex format in config (npub only) - Updated documentation to clarify npub-only config - Added comprehensive tests for npub normalization Config is for humans (npub), internal code uses hex pubkeys. --- internal/auth/interceptor.go | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'internal/auth/interceptor.go') diff --git a/internal/auth/interceptor.go b/internal/auth/interceptor.go index c055a15..7d785bf 100644 --- a/internal/auth/interceptor.go +++ b/internal/auth/interceptor.go @@ -35,10 +35,11 @@ type InterceptorOptions struct { // Default: false ValidatePayload bool - // AllowedPubkeys is an optional whitelist of allowed pubkeys. + // AllowedNpubs is an optional whitelist of allowed pubkeys (hex format). + // Config accepts npub format only, normalized to hex at load time. // If nil or empty, all valid signatures are accepted. // Default: nil (allow all) - AllowedPubkeys []string + AllowedNpubs []string // SkipMethods is a list of gRPC methods that bypass authentication. // Useful for public endpoints like health checks or relay info. @@ -53,7 +54,7 @@ func DefaultInterceptorOptions() *InterceptorOptions { TimestampWindow: 60, Required: false, ValidatePayload: false, - AllowedPubkeys: nil, + AllowedNpubs: nil, SkipMethods: nil, } } @@ -168,9 +169,9 @@ func validateAuthFromContext(ctx context.Context, method string, opts *Intercept // Extract pubkey pubkey := ExtractPubkey(event) - // Check whitelist if configured - if len(opts.AllowedPubkeys) > 0 { - if !contains(opts.AllowedPubkeys, pubkey) { + // Check whitelist if configured (all values are already normalized to hex) + if len(opts.AllowedNpubs) > 0 { + if !contains(opts.AllowedNpubs, pubkey) { return "", fmt.Errorf("pubkey not in whitelist") } } -- cgit v1.2.3