From d30459513ec44ab298fafd1bfe0edc08d6ab62e4 Mon Sep 17 00:00:00 2001
From: bndw <ben@bdw.to>
Date: Sat, 14 Feb 2026 09:58:28 -0800
Subject: feat: rename allowed_pubkeys to allowed_npubs with normalization

- Config now accepts npub format only (human-readable)
- Automatically converts npubs to hex pubkeys at load time
- Updated InterceptorOptions.AllowedPubkeys -> AllowedNpubs
- Added validation to reject hex format in config (npub only)
- Updated documentation to clarify npub-only config
- Added comprehensive tests for npub normalization

Config is for humans (npub), internal code uses hex pubkeys.
---
 internal/auth/README.md      |  4 +++-
 internal/auth/interceptor.go | 13 +++++++------
 2 files changed, 10 insertions(+), 7 deletions(-)

(limited to 'internal/auth')

diff --git a/internal/auth/README.md b/internal/auth/README.md
index c41b6cb..df0de6a 100644
--- a/internal/auth/README.md
+++ b/internal/auth/README.md
@@ -209,7 +209,9 @@ authOpts := &auth.InterceptorOptions{
 - **`TimestampWindow`**: Maximum age of events in seconds (default: 60)
 - **`Required`**: Whether to reject unauthenticated requests (default: false)
 - **`ValidatePayload`**: Whether to verify payload hash when present (default: false)
-- **`AllowedPubkeys`**: Optional whitelist of allowed pubkeys (nil = allow all)
+- **`AllowedNpubs`**: Optional whitelist of allowed pubkeys (nil = allow all)
+  - Config accepts npub format only (human-readable bech32)
+  - Automatically normalized to hex format (computer-readable) at config load time
 
 ### NostrCredentials Options
 
diff --git a/internal/auth/interceptor.go b/internal/auth/interceptor.go
index c055a15..7d785bf 100644
--- a/internal/auth/interceptor.go
+++ b/internal/auth/interceptor.go
@@ -35,10 +35,11 @@ type InterceptorOptions struct {
 	// Default: false
 	ValidatePayload bool
 
-	// AllowedPubkeys is an optional whitelist of allowed pubkeys.
+	// AllowedNpubs is an optional whitelist of allowed pubkeys (hex format).
+	// Config accepts npub format only, normalized to hex at load time.
 	// If nil or empty, all valid signatures are accepted.
 	// Default: nil (allow all)
-	AllowedPubkeys []string
+	AllowedNpubs []string
 
 	// SkipMethods is a list of gRPC methods that bypass authentication.
 	// Useful for public endpoints like health checks or relay info.
@@ -53,7 +54,7 @@ func DefaultInterceptorOptions() *InterceptorOptions {
 		TimestampWindow: 60,
 		Required:        false,
 		ValidatePayload: false,
-		AllowedPubkeys:  nil,
+		AllowedNpubs:    nil,
 		SkipMethods:     nil,
 	}
 }
@@ -168,9 +169,9 @@ func validateAuthFromContext(ctx context.Context, method string, opts *Intercept
 	// Extract pubkey
 	pubkey := ExtractPubkey(event)
 
-	// Check whitelist if configured
-	if len(opts.AllowedPubkeys) > 0 {
-		if !contains(opts.AllowedPubkeys, pubkey) {
+	// Check whitelist if configured (all values are already normalized to hex)
+	if len(opts.AllowedNpubs) > 0 {
+		if !contains(opts.AllowedNpubs, pubkey) {
 			return "", fmt.Errorf("pubkey not in whitelist")
 		}
 	}
-- 
cgit v1.2.3