feat: implement peers_only and specific availability access control for content

- PeersOnly access now checks X-Federation-DID header against known federation nodes
- Specific availability restricts content to named peer DIDs only
- Anonymous/unknown DID requests get 403 Forbidden
- Free content remains accessible to everyone
- Paid content still returns 402 with price info

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dorian
2026-03-13 02:27:38 +00:00
parent aa733a7daa
commit 92ac73fc20
3 changed files with 40 additions and 5 deletions

View File

@@ -403,6 +403,12 @@ impl ApiHandler {
.and_then(|v| v.to_str().ok())
.map(|s| s.to_string());
// Extract federation peer DID from X-Federation-DID header
let peer_did = headers
.get("x-federation-did")
.and_then(|v| v.to_str().ok())
.map(|s| s.to_string());
// Parse Range header for streaming support
let range = headers
.get("range")
@@ -413,6 +419,7 @@ impl ApiHandler {
&config.data_dir,
content_id,
payment_token.as_deref(),
peer_did.as_deref(),
range,
)
.await
@@ -456,6 +463,15 @@ impl ApiHandler {
.body(hyper::Body::from(body_bytes))
.unwrap())
}
Ok(content_server::ServeResult::Forbidden) => {
Ok(Response::builder()
.status(StatusCode::FORBIDDEN)
.header("Content-Type", "application/json")
.body(hyper::Body::from(
r#"{"error":"Access denied — federation peer required"}"#,
))
.unwrap())
}
Ok(content_server::ServeResult::NotFound) | Err(_) => {
Ok(Response::builder()
.status(StatusCode::NOT_FOUND)