v0.1.7 - Fixing black and white lists

2025-11-13 10:21:26 -04:00
parent 533c7f29f2
commit 455aab1eac
29 changed files with 1070 additions and 10 deletions
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -43,9 +43,59 @@ INSERT OR IGNORE INTO config (key, value, description) VALUES
    ('nip42_challenge_timeout', '600', 'NIP-42 challenge timeout in seconds'),
    ('nip42_time_tolerance', '300', 'NIP-42 timestamp tolerance in seconds');

+-- Authentication rules table for whitelist/blacklist functionality
+CREATE TABLE IF NOT EXISTS auth_rules (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    rule_type TEXT NOT NULL,              -- 'pubkey_blacklist', 'pubkey_whitelist',
+                                          -- 'hash_blacklist', 'mime_blacklist', 'mime_whitelist'
+    rule_target TEXT NOT NULL,            -- The pubkey, hash, or MIME type to match
+    operation TEXT NOT NULL DEFAULT '*',  -- 'upload', 'delete', 'list', or '*' for all
+    enabled INTEGER NOT NULL DEFAULT 1,   -- 1 = enabled, 0 = disabled
+    priority INTEGER NOT NULL DEFAULT 100,-- Lower number = higher priority
+    description TEXT,                     -- Human-readable description
+    created_by TEXT,                      -- Admin pubkey who created the rule
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+
+    -- Constraints
+    CHECK (rule_type IN ('pubkey_blacklist', 'pubkey_whitelist',
+                         'hash_blacklist', 'mime_blacklist', 'mime_whitelist')),
+    CHECK (operation IN ('upload', 'delete', 'list', '*')),
+    CHECK (enabled IN (0, 1)),
+    CHECK (priority >= 0),
+
+    -- Unique constraint: one rule per type/target/operation combination
+    UNIQUE(rule_type, rule_target, operation)
+);
+
+-- Cache table for authentication decisions (5-minute TTL)
+CREATE TABLE IF NOT EXISTS auth_rules_cache (
+    cache_key TEXT PRIMARY KEY NOT NULL,  -- SHA-256 hash of request parameters
+    decision INTEGER NOT NULL,            -- 1 = allow, 0 = deny
+    reason TEXT,                          -- Reason for decision
+    pubkey TEXT,                          -- Public key from request
+    operation TEXT,                       -- Operation type
+    resource_hash TEXT,                   -- Resource hash (if applicable)
+    created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+    expires_at INTEGER NOT NULL,          -- Expiration timestamp
+
+    CHECK (decision IN (0, 1))
+);
+
+-- Indexes for performance optimization
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_target ON auth_rules(rule_type, rule_target);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_operation ON auth_rules(operation);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_enabled ON auth_rules(enabled);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_priority ON auth_rules(priority);
+CREATE INDEX IF NOT EXISTS idx_auth_rules_type_operation ON auth_rules(rule_type, operation, enabled);
+
+-- Index for cache expiration cleanup
+CREATE INDEX IF NOT EXISTS idx_auth_cache_expires ON auth_rules_cache(expires_at);
+CREATE INDEX IF NOT EXISTS idx_auth_cache_pubkey ON auth_rules_cache(pubkey);
+
 -- View for storage statistics
 CREATE VIEW IF NOT EXISTS storage_stats AS
-SELECT 
+SELECT
    COUNT(*) as total_blobs,
    SUM(size) as total_bytes,
    AVG(size) as avg_blob_size,