Replace guest access with programmatic public access config (#1233)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: kixelated

Cargo.lock

@@ -33,7 +33,7 @@ leaf1: auth-token
 auth-key:
 	@if [ ! -f "dev.jwk" ]; then \
 		rm -f *.jwt; \
-		cargo run --bin moq-token-cli -- generate --out "dev.jwk" --guest anon --guest-subscribe demo; \
+		cargo run --bin moq-token-cli -- generate --out "dev.jwk"; \
 	fi
 
 # Generate authentication tokens for local development.

demo/relay/justfile

@@ -30,5 +30,8 @@ listen = "[::]:4443"
 # If you want to disable authentication, don't specify a key.
 key = "dev.jwk"
 
-# Allow anonymous publishing and subscribing for anon/**
-public = "anon"
+# Allow anonymous subscribing for anon/** and demo/**
+# Allow anonymous publishing for anon/** only
+[auth.public]
+subscribe = ["anon", "demo"]
+publish = "anon"

demo/relay/root.toml

@@ -21,17 +21,10 @@ program
 	.option("--id <id>", "Key ID (randomly generated if not provided)")
 	.option("--public <path>", "Path to save the public key (for asymmetric algorithms)")
 	.option("--base64", "Output as base64url instead of JSON", false)
-	.option("--guest-subscribe <path...>", "Path prefixes for unauthenticated subscribe access")
-	.option("--guest-publish <path...>", "Path prefixes for unauthenticated publish access")
-	.option("--guest <path...>", "Path prefixes for both unauthenticated subscribe and publish access")
 	.action(async (options) => {
 		try {
 			const algorithm = options.algorithm as Algorithm;
-			const key = await generate(algorithm, options.id, {
-				...(options.guest?.length && { guest: options.guest }),
-				...(options.guestSubscribe?.length && { guest_sub: options.guestSubscribe }),
-				...(options.guestPublish?.length && { guest_pub: options.guestPublish }),
-			});
+			const key = await generate(algorithm, options.id);
 
 			const encodeKey = (k: object): string => {
 				const json = JSON.stringify(k, null, 2);

js/token/src/cli.ts

@@ -17,33 +17,29 @@ function randomKid(): KeyId {
  * Generate a new key for the given algorithm.
  * A random key ID is assigned if none is provided.
  */
-export async function generate(
-	algorithm: Algorithm,
-	kid?: string,
-	options?: { guest?: string[]; guest_sub?: string[]; guest_pub?: string[] },
-): Promise<Key> {
+export async function generate(algorithm: Algorithm, kid?: string): Promise<Key> {
 	const validKid: KeyId = kid?.trim() ? KeyIdSchema.parse(kid.trim()) : randomKid();
 	switch (algorithm) {
 		case "HS256":
-			return generateHmacKey(algorithm, 32, validKid, options);
+			return generateHmacKey(algorithm, 32, validKid);
 		case "HS384":
-			return generateHmacKey(algorithm, 48, validKid, options);
+			return generateHmacKey(algorithm, 48, validKid);
 		case "HS512":
-			return generateHmacKey(algorithm, 64, validKid, options);
+			return generateHmacKey(algorithm, 64, validKid);
 		case "RS256":
 		case "RS384":
 		case "RS512":
-			return generateRsaKey(algorithm, "RSASSA-PKCS1-v1_5", validKid, options);
+			return generateRsaKey(algorithm, "RSASSA-PKCS1-v1_5", validKid);
 		case "PS256":
 		case "PS384":
 		case "PS512":
-			return generateRsaKey(algorithm, "RSA-PSS", validKid, options);
+			return generateRsaKey(algorithm, "RSA-PSS", validKid);
 		case "ES256":
-			return generateEcKey(algorithm, "P-256", validKid, options);
+			return generateEcKey(algorithm, "P-256", validKid);
 		case "ES384":
-			return generateEcKey(algorithm, "P-384", validKid, options);
+			return generateEcKey(algorithm, "P-384", validKid);
 		case "EdDSA":
-			return generateEdDsaKey(algorithm, validKid, options);
+			return generateEdDsaKey(algorithm, validKid);
 		default:
 			throw new Error(`Unsupported algorithm: ${algorithm}`);
 	}
@@ -52,12 +48,7 @@ export async function generate(
 /**
  * Generate an HMAC symmetric key
  */
-async function generateHmacKey(
-	alg: Algorithm,
-	byteLength: number,
-	kid: KeyId,
-	options?: { guest?: string[]; guest_sub?: string[]; guest_pub?: string[] },
-): Promise<Key> {
+async function generateHmacKey(alg: Algorithm, byteLength: number, kid: KeyId): Promise<Key> {
 	const bytes = new Uint8Array(byteLength);
 	crypto.getRandomValues(bytes);
 
@@ -69,21 +60,13 @@ async function generateHmacKey(
 		k,
 		kid,
 		key_ops: ["sign", "verify"],
-		guest: options?.guest ?? [],
-		guest_sub: options?.guest_sub ?? [],
-		guest_pub: options?.guest_pub ?? [],
 	};
 }
 
 /**
  * Generate an RSA asymmetric key pair
  */
-async function generateRsaKey(
-	alg: Algorithm,
-	name: "RSASSA-PKCS1-v1_5" | "RSA-PSS",
-	kid: KeyId,
-	options?: { guest?: string[]; guest_sub?: string[]; guest_pub?: string[] },
-): Promise<Key> {
+async function generateRsaKey(alg: Algorithm, name: "RSASSA-PKCS1-v1_5" | "RSA-PSS", kid: KeyId): Promise<Key> {
 	const keyPair = await crypto.subtle.generateKey(
 		{
 			name,
@@ -121,21 +104,13 @@ async function generateRsaKey(
 		qi: jwk.qi,
 		kid,
 		key_ops: ["sign", "verify"],
-		guest: options?.guest ?? [],
-		guest_sub: options?.guest_sub ?? [],
-		guest_pub: options?.guest_pub ?? [],
 	};
 }
 
 /**
  * Generate an elliptic curve asymmetric key pair
  */
-async function generateEcKey(
-	alg: "ES256" | "ES384",
-	namedCurve: "P-256" | "P-384",
-	kid: KeyId,
-	options?: { guest?: string[]; guest_sub?: string[]; guest_pub?: string[] },
-): Promise<Key> {
+async function generateEcKey(alg: "ES256" | "ES384", namedCurve: "P-256" | "P-384", kid: KeyId): Promise<Key> {
 	const keyPair = await crypto.subtle.generateKey(
 		{
 			name: "ECDSA",
@@ -163,20 +138,13 @@ async function generateEcKey(
 		d: jwk.d,
 		kid,
 		key_ops: ["sign", "verify"],
-		guest: options?.guest ?? [],
-		guest_sub: options?.guest_sub ?? [],
-		guest_pub: options?.guest_pub ?? [],
 	};
 }
 
 /**
  * Generate an EdDSA key pair using Ed25519
  */
-async function generateEdDsaKey(
-	alg: "EdDSA",
-	kid: KeyId,
-	options?: { guest?: string[]; guest_sub?: string[]; guest_pub?: string[] },
-): Promise<Key> {
+async function generateEdDsaKey(alg: "EdDSA", kid: KeyId): Promise<Key> {
 	const keyPair = await crypto.subtle.generateKey(
 		{
 			name: "Ed25519",
@@ -201,9 +169,6 @@ async function generateEdDsaKey(
 		d: jwk.d,
 		kid,
 		key_ops: ["sign", "verify"],
-		guest: options?.guest ?? [],
-		guest_sub: options?.guest_sub ?? [],
-		guest_pub: options?.guest_pub ?? [],
 	};
 }
 

js/token/src/generate.ts

@@ -35,24 +35,10 @@ const Base64FieldSchema = z.string().check(
 	}),
 );
 
-const StringOrArray = z._default(
-	z.union([
-		z.pipe(
-			z.string(),
-			z.transform((s) => [s]),
-		),
-		z.array(z.string()),
-	]),
-	[],
-);
-
 const BaseKeySchema = z.object({
 	alg: AlgorithmSchema,
 	key_ops: z.array(OperationSchema).check(z.minLength(1)),
 	kid: z.optional(KeyIdSchema),
-	guest: StringOrArray,
-	guest_sub: StringOrArray,
-	guest_pub: StringOrArray,
 });
 
 const OctKeySchema = z.extend(BaseKeySchema, {

js/token/src/key.ts

@@ -49,6 +49,7 @@ rustls = { version = "0.23", features = [
     "aws-lc-rs",
 ], default-features = false }
 serde = { version = "1", features = ["derive"] }
+serde_json = "1"
 serde_with = { version = "3", features = ["json", "base64"] }
 thiserror = "2"
 tikv-jemalloc-ctl = { version = "0.6", optional = true }