From 283f87b9c4c9ddf4307389f878f2d0ea697f286d Mon Sep 17 00:00:00 2001 From: Username Date: Mon, 16 Feb 2026 22:51:08 +0100 Subject: [PATCH] routes: skip PoW for trusted certificate holders --- app/api/routes.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/app/api/routes.py b/app/api/routes.py index 2a1f302..2ff9e16 100644 --- a/app/api/routes.py +++ b/app/api/routes.py @@ -950,7 +950,7 @@ class IndexView(MethodView): f"GET {prefixed_url('/health')}": "Health check", f"GET {prefixed_url('/client')}": "Download CLI client (fpaste)", f"GET {prefixed_url('/challenge')}": "Get proof-of-work challenge", - f"POST {prefixed_url('/')}": "Create paste (PoW required)", + f"POST {prefixed_url('/')}": "Create paste (PoW required unless trusted cert)", f"GET {prefixed_url('/pastes')}": "List your pastes (cert required)", f"GET {prefixed_url('/')}": "Get paste metadata", f"GET {prefixed_url('//raw')}": "Get raw paste content", @@ -958,7 +958,7 @@ class IndexView(MethodView): f"DELETE {prefixed_url('/')}": "Delete paste (owner only)", f"GET {prefixed_url('/register/challenge')}": "Get registration challenge", f"POST {prefixed_url('/register')}": "Register for client certificate", - f"POST {prefixed_url('/s')}": "Create short URL (PoW required)", + f"POST {prefixed_url('/s')}": "Create short URL (PoW required unless trusted cert)", f"GET {prefixed_url('/s')}": "List your short URLs (cert required)", f"GET {prefixed_url('/s/')}": "Redirect to target URL", f"GET {prefixed_url('/s//info')}": "Short URL metadata", @@ -1072,9 +1072,9 @@ class IndexView(MethodView): add_rate_limit_headers(response, 0, limit, reset_timestamp) return response - # Proof-of-work verification + # Proof-of-work verification (trusted certs exempt) difficulty = current_app.config["POW_DIFFICULTY"] - if difficulty > 0: + if difficulty > 0 and not trusted_client: token = request.headers.get("X-PoW-Token", "") solution = request.headers.get("X-PoW-Solution", "") @@ -2005,9 +2005,9 @@ class ShortURLCreateView(MethodView): add_rate_limit_headers(response, 0, limit, reset_timestamp) return response - # Proof-of-work + # Proof-of-work (trusted certs exempt) difficulty = current_app.config["POW_DIFFICULTY"] - if difficulty > 0: + if difficulty > 0 and not trusted_client: token = request.headers.get("X-PoW-Token", "") solution = request.headers.get("X-PoW-Solution", "")