Auth fixed now allows more than one user

internal/auth/auth.go

@@ -75,16 +75,34 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
 		
 	// Check if there's a whitelist and enforce it
 	if s.allowedNpub != "" && s.allowedNpub != "none" {
+		// Split by comma to support multiple allowed npubs
+		allowedNpubs := strings.Split(s.allowedNpub, ",")
+		isAuthorized := false
+		
+		// Log the number of npubs being checked
+		s.logger.Info("Checking authorization against allowed npubs",
+			zap.Int("allowed_npub_count", len(allowedNpubs)))
+		
+		// Check each allowed npub
+		for _, allowedNpub := range allowedNpubs {
+			// Trim any whitespace
+			allowedNpub = strings.TrimSpace(allowedNpub)
+			
+			// If empty after trimming, skip
+			if allowedNpub == "" {
+				continue
+			}
+			
 			// If the allowed value starts with "npub", we need to decode it to hex
-		allowedHexPubkey := s.allowedNpub
+			allowedHexPubkey := allowedNpub
-		if strings.HasPrefix(s.allowedNpub, "npub") {
+			if strings.HasPrefix(allowedNpub, "npub") {
 				// Try to decode the npub to hex
-			decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
+				decodedPubkey, err := utils.DecodeNpub(allowedNpub)
 				if err != nil {
-				s.logger.Error("Failed to decode allowed_npub",
+					s.logger.Warn("Failed to decode one of the allowed_npub values, skipping",
-					zap.String("allowed_npub", s.allowedNpub),
+						zap.String("allowed_npub", allowedNpub),
 						zap.Error(err))
-				return "", errors.New("server configuration error: invalid allowed_npub format")
+					continue
 				} else {
 					allowedHexPubkey = decodedPubkey
 				}
@@ -100,15 +118,21 @@ func (s *Service) Login(pubkey, signature, eventJSON string) (string, error) {
 				zap.String("normalized_attempt", normalizedAttempt))
 				
 			// Compare with the provided pubkey (case-insensitive comparison)
-		if normalizedAllowed != normalizedAttempt {
+			if normalizedAllowed == normalizedAttempt {
+				s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
+					zap.String("pubkey", pubkey),
+					zap.String("matching_allowed_npub", allowedNpub))
+				isAuthorized = true
+				break
+			}
+		}
+		
+		// If not authorized by any of the allowed npubs, reject
+		if !isAuthorized {
 			s.logger.Warn("Login attempt from non-whitelisted pubkey - REJECTED",
 				zap.String("attempt_pubkey", pubkey),
-				zap.String("allowed_pubkey", allowedHexPubkey),
+				zap.String("allowed_npubs", s.allowedNpub))
-				zap.String("allowed_npub", s.allowedNpub))
+			return "", errors.New("unauthorized: only configured npubs are allowed to log in")
-			return "", errors.New("unauthorized: only the configured npub is allowed to log in")
-		} else {
-			s.logger.Info("Login attempt from whitelisted pubkey - APPROVED",
-				zap.String("pubkey", pubkey))
 		}
 	}
 
@@ -172,24 +196,44 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
 
 	// Additional check for whitelist if it's configured
 	if s.allowedNpub != "" && s.allowedNpub != "none" {
+		// Split by comma to support multiple allowed npubs
+		allowedNpubs := strings.Split(s.allowedNpub, ",")
+		isAuthorized := false
+		
+		// Log the number of npubs being checked
+		s.logger.Info("Token verification checking against allowed npubs",
+			zap.Int("allowed_npub_count", len(allowedNpubs)))
+		
+		// Normalize the token pubkey once
+		normalizedToken := strings.ToLower(token.Pubkey)
+		
+		// Check each allowed npub
+		for _, allowedNpub := range allowedNpubs {
+			// Trim any whitespace
+			allowedNpub = strings.TrimSpace(allowedNpub)
+			
+			// If empty after trimming, skip
+			if allowedNpub == "" {
+				continue
+			}
+			
 			// If the allowed value starts with "npub", we need to decode it to hex
-		allowedHexPubkey := s.allowedNpub
+			allowedHexPubkey := allowedNpub
-		if strings.HasPrefix(s.allowedNpub, "npub") {
+			if strings.HasPrefix(allowedNpub, "npub") {
 				// Try to decode the npub to hex
-			decodedPubkey, err := utils.DecodeNpub(s.allowedNpub)
+				decodedPubkey, err := utils.DecodeNpub(allowedNpub)
 				if err != nil {
-				s.logger.Error("Failed to decode allowed_npub in token verification",
+					s.logger.Warn("Failed to decode one of the allowed_npub values in token verification, skipping",
-					zap.String("allowed_npub", s.allowedNpub),
+						zap.String("allowed_npub", allowedNpub),
 						zap.Error(err))
-				return "", errors.New("server configuration error: invalid allowed_npub format")
+					continue
 				} else {
 					allowedHexPubkey = decodedPubkey
 				}
 			}
 
-		// Normalize both pubkeys for case-insensitive comparison
+			// Normalize the allowed pubkey
 			normalizedAllowed := strings.ToLower(allowedHexPubkey)
-		normalizedToken := strings.ToLower(token.Pubkey)
 			
 			// Log the comparison for debugging
 			s.logger.Info("Token verification comparing pubkeys",
@@ -197,16 +241,21 @@ func (s *Service) VerifyToken(tokenStr string) (string, error) {
 				zap.String("normalized_token", normalizedToken))
 
 			// Compare with the token's pubkey (case-insensitive comparison)
-		if normalizedAllowed != normalizedToken {
+			if normalizedAllowed == normalizedToken {
+				s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
+					zap.String("pubkey", token.Pubkey),
+					zap.String("matching_allowed_npub", allowedNpub))
+				isAuthorized = true
+				break
+			}
+		}
+		
+		// If not authorized by any of the allowed npubs, reject
+		if !isAuthorized {
 			s.logger.Warn("Token verification from non-whitelisted pubkey - REJECTED",
 				zap.String("token_pubkey", token.Pubkey),
-				zap.String("allowed_pubkey", allowedHexPubkey),
+				zap.String("allowed_npubs", s.allowedNpub))
-				zap.String("normalized_allowed", normalizedAllowed),
-				zap.String("normalized_token", normalizedToken))
 			return "", errors.New("unauthorized: token is for a non-whitelisted pubkey")
-		} else {
-			s.logger.Info("Token verification from whitelisted pubkey - APPROVED",
-				zap.String("pubkey", token.Pubkey))
 		}
 	}