routes: skip PoW for trusted certificate holders

2026-02-16 22:51:08 +01:00
parent c31923f491
commit 283f87b9c4
1 changed files with 6 additions and 6 deletions
--- a/app/api/routes.py
+++ b/app/api/routes.py
@@ -950,7 +950,7 @@ class IndexView(MethodView):
            f"GET {prefixed_url('/health')}": "Health check",
            f"GET {prefixed_url('/client')}": "Download CLI client (fpaste)",
            f"GET {prefixed_url('/challenge')}": "Get proof-of-work challenge",
-            f"POST {prefixed_url('/')}": "Create paste (PoW required)",
+            f"POST {prefixed_url('/')}": "Create paste (PoW required unless trusted cert)",
            f"GET {prefixed_url('/pastes')}": "List your pastes (cert required)",
            f"GET {prefixed_url('/<id>')}": "Get paste metadata",
            f"GET {prefixed_url('/<id>/raw')}": "Get raw paste content",
@@ -958,7 +958,7 @@ class IndexView(MethodView):
            f"DELETE {prefixed_url('/<id>')}": "Delete paste (owner only)",
            f"GET {prefixed_url('/register/challenge')}": "Get registration challenge",
            f"POST {prefixed_url('/register')}": "Register for client certificate",
-            f"POST {prefixed_url('/s')}": "Create short URL (PoW required)",
+            f"POST {prefixed_url('/s')}": "Create short URL (PoW required unless trusted cert)",
            f"GET {prefixed_url('/s')}": "List your short URLs (cert required)",
            f"GET {prefixed_url('/s/<id>')}": "Redirect to target URL",
            f"GET {prefixed_url('/s/<id>/info')}": "Short URL metadata",
@@ -1072,9 +1072,9 @@ class IndexView(MethodView):
            add_rate_limit_headers(response, 0, limit, reset_timestamp)
            return response

-        # Proof-of-work verification
+        # Proof-of-work verification (trusted certs exempt)
        difficulty = current_app.config["POW_DIFFICULTY"]
-        if difficulty > 0:
+        if difficulty > 0 and not trusted_client:
            token = request.headers.get("X-PoW-Token", "")
            solution = request.headers.get("X-PoW-Solution", "")

@@ -2005,9 +2005,9 @@ class ShortURLCreateView(MethodView):
            add_rate_limit_headers(response, 0, limit, reset_timestamp)
            return response

-        # Proof-of-work
+        # Proof-of-work (trusted certs exempt)
        difficulty = current_app.config["POW_DIFFICULTY"]
-        if difficulty > 0:
+        if difficulty > 0 and not trusted_client:
            token = request.headers.get("X-PoW-Token", "")
            solution = request.headers.get("X-PoW-Solution", "")