add tiered auto-expiry based on auth level

app/api/routes.py

@@ -816,6 +816,23 @@ class IndexView(MethodView):
         burn_header = request.headers.get("X-Burn-After-Read", "").strip().lower()
         burn_after_read = burn_header in ("true", "1", "yes")
 
+        # Determine default expiry based on authentication level
+        # Anonymous < Untrusted cert < Trusted cert (registered in PKI)
+        if owner is None:
+            # Anonymous user
+            default_expiry = current_app.config.get("EXPIRY_ANON", 86400)
+        elif trusted_client:
+            # Trusted certificate (registered in PKI)
+            from app.pki import is_trusted_certificate
+
+            if is_trusted_certificate(owner):
+                default_expiry = current_app.config.get("EXPIRY_TRUSTED", 2592000)
+            else:
+                default_expiry = current_app.config.get("EXPIRY_UNTRUSTED", 604800)
+        else:
+            # Has cert but not trusted
+            default_expiry = current_app.config.get("EXPIRY_UNTRUSTED", 604800)
+
         expires_at = None
         expiry_header = request.headers.get("X-Expiry", "").strip()
         if expiry_header:
@@ -829,6 +846,10 @@ class IndexView(MethodView):
             except ValueError:
                 pass
 
+        # Apply default expiry if none specified (0 = no expiry for trusted)
+        if expires_at is None and default_expiry > 0:
+            expires_at = int(time.time()) + default_expiry
+
         password_hash = None
         password_header = request.headers.get("X-Paste-Password", "")
         if password_header: