backend: add single-use token auth for spawned stream proxies

Generate a random 256-bit token when spawning a proxy process, pass it as a CLI argument, and return it to the client in the stream start response. The proxy validates the token on WebTransport connect and consumes it after first use, preventing replay. A wrong token attempt also consumes the token for security. Includes 5 unit tests for token validation logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-16 02:36:35 +00:00
parent bfe2d79a59
commit f49f470f80
4 changed files with 122 additions and 8 deletions
@@ -85,6 +85,32 @@ impl crate::proxy::Proxy {
            description: "Could not start stream".to_string(),
        });

+        // Validate single-use stream token
+        let provided_token = req.query::<String>("token").unwrap_or_default();
+        {
+            let mut token_guard = self.stream_token.write().await;
+            match token_guard.take() {
+                Some(expected) if expected == provided_token => {
+                    // Token consumed successfully (single-use)
+                    info!("Stream token validated and consumed");
+                }
+                Some(_) => {
+                    error!("Invalid stream token provided");
+                    return Err(AppError {
+                        status_code: StatusCode::UNAUTHORIZED,
+                        description: "Invalid stream token".to_string(),
+                    });
+                }
+                None => {
+                    error!("Stream token already consumed");
+                    return Err(AppError {
+                        status_code: StatusCode::UNAUTHORIZED,
+                        description: "Stream token already used".to_string(),
+                    });
+                }
+            }
+        }
+
        info!("WebTransport connection initiated");
        let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await
        {