From 5d21632ea70e1c7de7becb7ab6227b06b1535a83 Mon Sep 17 00:00:00 2001 From: bndw Date: Sat, 14 Feb 2026 10:02:52 -0800 Subject: feat: add separate read/write allowlists for granular access control - Split allowed_npubs into allowed_npubs_read and allowed_npubs_write - Write operations: Publish, Delete, Create, Update, Insert, Remove, Set, Put - Read operations: everything else (Query, Subscribe, Get, List, etc.) - Auth interceptor checks appropriate list based on method type - Enables common patterns: - Public relay: only some can write, everyone can read - Private relay: restricted read and write - Open relay: everyone can read and write - Updated config, docs, and comprehensive tests Use cases: "only some can write, everyone can read" --- internal/config/README.md | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'internal/config/README.md') diff --git a/internal/config/README.md b/internal/config/README.md index dbb8760..7deb38f 100644 --- a/internal/config/README.md +++ b/internal/config/README.md @@ -90,12 +90,25 @@ auth: # Timestamp window in seconds for replay protection timestamp_window: 60 - # Allowed npubs (optional, whitelist) - # If empty, all valid signatures are accepted + # Allowed npubs for read operations (optional, whitelist) + # If empty, all valid signatures are accepted for reads # Use npub format only (e.g., npub1...) - allowed_npubs: [] + allowed_npubs_read: [] + + # Allowed npubs for write operations (optional, whitelist) + # If empty, all valid signatures are accepted for writes + # Use npub format only (e.g., npub1...) + allowed_npubs_write: [] + + # Example use cases: + # - Public relay: allowed_npubs_write (only some can publish), empty read (everyone can read) + # - Private relay: both lists populated (restricted read and write) + # - Open relay: both lists empty (everyone can read and write) + # # Example: - # allowed_npubs: + # allowed_npubs_read: + # - npub1a2b3c4d5e6f... + # allowed_npubs_write: # - npub1a2b3c4d5e6f... # Skip authentication for these methods @@ -222,7 +235,8 @@ Complex types: ```bash # Lists (comma-separated, npub format) -export MUXSTR_AUTH_ALLOWED_NPUBS="npub1...,npub1...,npub1..." +export MUXSTR_AUTH_ALLOWED_NPUBS_READ="npub1...,npub1..." +export MUXSTR_AUTH_ALLOWED_NPUBS_WRITE="npub1..." # Durations export MUXSTR_SERVER_READ_TIMEOUT="30s" -- cgit v1.2.3