v0.1.7 - Fixing black and white lists

db/migrations/001_add_auth_rules.sql

@@ -0,0 +1,78 @@
+-- Migration: Add authentication rules tables
+-- Purpose: Enable whitelist/blacklist functionality for Ginxsom
+-- Date: 2025-01-12
+
+-- Enable foreign key constraints
+PRAGMA foreign_keys = ON;
+
+-- Authentication rules table for whitelist/blacklist functionality
+CREATE TABLE IF NOT EXISTS auth_rules (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    rule_type TEXT NOT NULL,              -- 'pubkey_blacklist', 'pubkey_whitelist', 
+                                          -- 'hash_blacklist', 'mime_blacklist', 'mime_whitelist'
+    rule_target TEXT NOT NULL,            -- The pubkey, hash, or MIME type to match
+    operation TEXT NOT NULL DEFAULT '*',  -- 'upload', 'delete', 'list', or '*' for all
+    enabled INTEGER NOT NULL DEFAULT 1,   -- 1 = enabled, 0 = disabled
+    priority INTEGER NOT NULL DEFAULT 100,-- Lower number = higher priority
+    description TEXT,                     -- Human-readable description
+    created_by TEXT,                      -- Admin pubkey who created the rule
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    
+    -- Constraints
+    CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist', 
+                         'hash_blacklist', 'mime_blacklist', 'mime_whitelist')),
+    CHECK (operation IN ('upload', 'delete', 'list', '*')),
+    CHECK (enabled IN (0, 1)),
+    CHECK (priority >= 0),
+    
+    -- Unique constraint: one rule per type/target/operation combination
+    UNIQUE(rule_type, rule_target, operation)
+);
+
+-- Indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled);
+
+-- Cache table for authentication decisions (5-minute TTL)
+CREATE TABLE IF NOT EXISTS auth_rules_cache (
+    cache_key TEXT PRIMARY KEY NOT NULL,  -- SHA-256 hash of request parameters
+    decision INTEGER NOT NULL,            -- 1 = allow, 0 = deny
+    reason TEXT,                          -- Reason for decision
+    pubkey TEXT,                          -- Public key from request
+    operation TEXT,                       -- Operation type
+    resource_hash TEXT,                   -- Resource hash (if applicable)
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    expires_at INTEGER NOT NULL,          -- Expiration timestamp
+    
+    CHECK (decision IN (0, 1))
+);
+
+-- Index for cache expiration cleanup
+CREATE INDEX IF NOT EXISTS idx_auth_cache_expires ON auth_rules_cache(expires_at);
+CREATE INDEX IF NOT EXISTS idx_auth_cache_pubkey ON auth_rules_cache(pubkey);
+
+-- Insert example rules (commented out - uncomment to use)
+-- Example: Blacklist a specific pubkey for uploads
+-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
+--     ('pubkey_blacklist', '79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798', 'upload', 10, 'Example blacklisted user', 'admin_pubkey_here');
+
+-- Example: Whitelist a specific pubkey for all operations
+-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
+--     ('pubkey_whitelist', 'your_pubkey_here', '*', 300, 'Trusted user - all operations allowed', 'admin_pubkey_here');
+
+-- Example: Blacklist executable MIME types
+-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
+--     ('mime_blacklist', 'application/x-executable', 'upload', 200, 'Block executable files', 'admin_pubkey_here'),
+--     ('mime_blacklist', 'application/x-msdos-program', 'upload', 200, 'Block DOS executables', 'admin_pubkey_here'),
+--     ('mime_blacklist', 'application/x-msdownload', 'upload', 200, 'Block Windows executables', 'admin_pubkey_here');
+
+-- Example: Whitelist common image types
+-- INSERT INTO auth_rules (rule_type, rule_target, operation, priority, description, created_by) VALUES
+--     ('mime_whitelist', 'image/jpeg', 'upload', 400, 'Allow JPEG images', 'admin_pubkey_here'),
+--     ('mime_whitelist', 'image/png', 'upload', 400, 'Allow PNG images', 'admin_pubkey_here'),
+--     ('mime_whitelist', 'image/gif', 'upload', 400, 'Allow GIF images', 'admin_pubkey_here'),
+--     ('mime_whitelist', 'image/webp', 'upload', 400, 'Allow WebP images', 'admin_pubkey_here');

db/schema.sql

@@ -43,9 +43,59 @@ INSERT OR IGNORE INTO config (key, value, description) VALUES
     ('nip42_challenge_timeout', '600', 'NIP-42 challenge timeout in seconds'),
     ('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds');
 
+-- Authentication rules table for whitelist/blacklist functionality
+CREATE TABLE IF NOT EXISTS auth_rules (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    rule_type TEXT NOT NULL,              -- 'pubkey_blacklist', 'pubkey_whitelist',
+                                          -- 'hash_blacklist', 'mime_blacklist', 'mime_whitelist'
+    rule_target TEXT NOT NULL,            -- The pubkey, hash, or MIME type to match
+    operation TEXT NOT NULL DEFAULT '*',  -- 'upload', 'delete', 'list', or '*' for all
+    enabled INTEGER NOT NULL DEFAULT 1,   -- 1 = enabled, 0 = disabled
+    priority INTEGER NOT NULL DEFAULT 100,-- Lower number = higher priority
+    description TEXT,                     -- Human-readable description
+    created_by TEXT,                      -- Admin pubkey who created the rule
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+
+    -- Constraints
+    CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist',
+                         'hash_blacklist', 'mime_blacklist', 'mime_whitelist')),
+    CHECK (operation IN ('upload', 'delete', 'list', '*')),
+    CHECK (enabled IN (0, 1)),
+    CHECK (priority >= 0),
+
+    -- Unique constraint: one rule per type/target/operation combination
+    UNIQUE(rule_type, rule_target, operation)
+);
+
+-- Cache table for authentication decisions (5-minute TTL)
+CREATE TABLE IF NOT EXISTS auth_rules_cache (
+    cache_key TEXT PRIMARY KEY NOT NULL,  -- SHA-256 hash of request parameters
+    decision INTEGER NOT NULL,            -- 1 = allow, 0 = deny
+    reason TEXT,                          -- Reason for decision
+    pubkey TEXT,                          -- Public key from request
+    operation TEXT,                       -- Operation type
+    resource_hash TEXT,                   -- Resource hash (if applicable)
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    expires_at INTEGER NOT NULL,          -- Expiration timestamp
+
+    CHECK (decision IN (0, 1))
+);
+
+-- Indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled);
+
+-- Index for cache expiration cleanup
+CREATE INDEX IF NOT EXISTS idx_auth_cache_expires ON auth_rules_cache(expires_at);
+CREATE INDEX IF NOT EXISTS idx_auth_cache_pubkey ON auth_rules_cache(pubkey);
+
 -- View for storage statistics
 CREATE VIEW IF NOT EXISTS storage_stats AS
-SELECT 
+SELECT
     COUNT(*) as total_blobs,
     SUM(size) as total_bytes,
     AVG(size) as avg_blob_size,