mleku/next.orly.dev
1
0
Fork 1
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance authentication handling in request processing

Browse Source 
- Updated HandleCount, HandleEvent, and HandleReq functions to improve authentication checks based on new configuration options.
- Introduced `AuthToWrite` configuration to allow unauthenticated access for COUNT and REQ operations while still enforcing ACL checks.
- Enhanced comments for clarity on authentication requirements and access control logic.
- Bumped version to v0.17.18.
This commit is contained in:
mleku
2025-10-24 20:16:03 +01:00
parent 28ab665285
commit 75f2f379ec
5 changed files with 74 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
app/handle-count.go
View File

@@ -27,8 +27,8 @@ func (l *Listener) HandleCount(msg []byte) (err error) {
}
log.D.C(func() string { return fmt.Sprintf("COUNT sub=%s filters=%d", env.Subscription, len(env.Filters)) })
// If ACL is active, send a challenge (same as REQ path)
if acl.Registry.Active.Load() != "none" {
// If ACL is active, auth is required, or AuthToWrite is enabled, send a challenge (same as REQ path)
if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite {
if err = authenvelope.NewChallengeWith(l.challenge.Load()).Write(l); chk.E(err) {
return
}
@@ -36,11 +36,31 @@ func (l *Listener) HandleCount(msg []byte) (err error) {
// Check read permissions
accessLevel := acl.Registry.GetAccessLevel(l.authedPubkey.Load(), l.remote)
switch accessLevel {
case "none":
return errors.New("auth required: user not authed or has no read access")
default:
// allowed to read
// If auth is required but user is not authenticated, deny access
if l.Config.AuthRequired && len(l.authedPubkey.Load()) == 0 {
return errors.New("authentication required")
}
// If AuthToWrite is enabled, allow COUNT without auth (but still check ACL)
if l.Config.AuthToWrite && len(l.authedPubkey.Load()) == 0 {
// Allow unauthenticated COUNT when AuthToWrite is enabled
// but still respect ACL access levels if ACL is active
if acl.Registry.Active.Load() != "none" {
switch accessLevel {
case "none", "blocked", "banned":
return errors.New("auth required: user not authed or has no read access")
}
}
// Allow the request to proceed without authentication
} else {
// Only check ACL access level if not already handled by AuthToWrite
switch accessLevel {
case "none":
return errors.New("auth required: user not authed or has no read access")
default:
// allowed to read
}
}
// Use a bounded context for counting, isolated from the connection context