Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 restitux
|
786579a7d8 | ||
|
restitux
|
af9359bbdf | ||
|
restitux
|
b8c705554f | ||
|
restitux
|
826a3b59c9 |
@@ -25,6 +25,7 @@
|
||||
streamStore.CertHash = streamData.CertHash;
|
||||
streamStore.Width = streamData.Width;
|
||||
streamStore.Height = streamData.Height;
|
||||
streamStore.StreamToken = streamData.StreamToken;
|
||||
|
||||
console.log(`Stream data retrieved. Navigating to /stream.`);
|
||||
await goto('/stream');
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
import { getToken, handleUnauthorized } from './stores/authStore.svelte';
|
||||
|
||||
export interface App {
|
||||
title: string;
|
||||
id: number;
|
||||
@@ -12,7 +14,15 @@ export interface AppsResponse {
|
||||
|
||||
export async function fetchApps() {
|
||||
console.log('Getting apps');
|
||||
const response = await fetch('/api/apps');
|
||||
const response = await fetch('/api/apps', {
|
||||
headers: { 'Authorization': `Bearer ${getToken()}` }
|
||||
});
|
||||
|
||||
if (response.status === 401) {
|
||||
handleUnauthorized();
|
||||
throw new Error('Unauthorized');
|
||||
}
|
||||
|
||||
console.log(response);
|
||||
const data = (await response.json()) as AppsResponse;
|
||||
console.log(data);
|
||||
|
||||
@@ -1,8 +1,11 @@
|
||||
import { getToken, handleUnauthorized } from './stores/authStore.svelte';
|
||||
|
||||
type StreamData = {
|
||||
Url: string,
|
||||
CertHash: Array<number>,
|
||||
Width: number,
|
||||
Height: number,
|
||||
StreamToken: string,
|
||||
}
|
||||
|
||||
export async function getStreamData(appId: number, server_name: string): Promise<StreamData> {
|
||||
@@ -34,10 +37,16 @@ export async function getStreamData(appId: number, server_name: string): Promise
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
'Authorization': `Bearer ${getToken()}`,
|
||||
},
|
||||
body: JSON.stringify(payload)
|
||||
});
|
||||
|
||||
if (response.status === 401) {
|
||||
handleUnauthorized();
|
||||
throw new Error('Unauthorized');
|
||||
}
|
||||
|
||||
if (!response.ok) {
|
||||
throw new Error(`HTTP error! status: ${response.status}: ${await response.text()}`);
|
||||
}
|
||||
@@ -45,15 +54,17 @@ export async function getStreamData(appId: number, server_name: string): Promise
|
||||
const streamDataResp = await response.json();
|
||||
console.log('Stream started:', streamDataResp);
|
||||
|
||||
let streamData: StreamData = { Url: streamDataResp.url, CertHash: streamDataResp.cert_hash, Width: width, Height: height };
|
||||
let streamData: StreamData = {
|
||||
Url: streamDataResp.url,
|
||||
CertHash: streamDataResp.cert_hash,
|
||||
Width: width,
|
||||
Height: height,
|
||||
StreamToken: streamDataResp.stream_token,
|
||||
};
|
||||
return streamData;
|
||||
|
||||
|
||||
} catch (error) {
|
||||
console.error('Error getting stream data: ', error);
|
||||
throw new Error('Failed to start stream: ' + error);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -3,4 +3,5 @@ export const streamStore = $state({
|
||||
CertHash: [0],
|
||||
Width: 0,
|
||||
Height: 0,
|
||||
StreamToken: '',
|
||||
});
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
$: certHash = streamStore.CertHash;
|
||||
$: width = streamStore.Width;
|
||||
$: height = streamStore.Height;
|
||||
$: streamToken = streamStore.StreamToken;
|
||||
</script>
|
||||
|
||||
<svelte:head>
|
||||
@@ -13,9 +14,7 @@
|
||||
<meta name="description" content="Streaming game" />
|
||||
</svelte:head>
|
||||
|
||||
<!--<section>
|
||||
</section>-->
|
||||
<Stream {url} {certHash} {width} {height} />
|
||||
<Stream {url} {certHash} {width} {height} {streamToken} />
|
||||
|
||||
<style>
|
||||
section {
|
||||
|
||||
@@ -8,17 +8,20 @@
|
||||
certHash: Array<number>;
|
||||
width: number;
|
||||
height: number;
|
||||
streamToken: string;
|
||||
}
|
||||
|
||||
let { url, certHash, width, height }: Props = $props();
|
||||
let { url, certHash, width, height, streamToken }: Props = $props();
|
||||
let loading = $state(true);
|
||||
let fullscreen = $state(false);
|
||||
let gameplayView: HTMLDivElement;
|
||||
let gameplayCanvas: HTMLCanvasElement;
|
||||
|
||||
async function startStream() {
|
||||
// Append stream token to URL for proxy authentication
|
||||
const authenticatedUrl = url + (url.includes('?') ? '&' : '?') + 'token=' + encodeURIComponent(streamToken);
|
||||
await startWebtransportStream(
|
||||
url,
|
||||
authenticatedUrl,
|
||||
certHash,
|
||||
width,
|
||||
height,
|
||||
|
||||
@@ -47,7 +47,16 @@ struct GetAppsResponse {
|
||||
impl crate::backend::Backend {
|
||||
#[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))]
|
||||
pub async fn get_apps(self: ::std::sync::Arc<Self>, depot: &mut Depot) -> AppResult<Json<GetAppsResponse>> {
|
||||
let user = auth::get_user_from_depot(depot).cloned();
|
||||
let user = match auth::get_user_from_depot(depot) {
|
||||
Some(u) => u.clone(),
|
||||
None => {
|
||||
error!("get_apps reached without authenticated user in depot");
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::UNAUTHORIZED,
|
||||
description: "Not authenticated".to_string(),
|
||||
});
|
||||
}
|
||||
};
|
||||
let standard_error = Err(AppError {
|
||||
status_code: StatusCode::INTERNAL_SERVER_ERROR,
|
||||
description: "failed to get available apps".to_string(),
|
||||
@@ -146,18 +155,16 @@ impl crate::backend::Backend {
|
||||
}
|
||||
|
||||
// Filter apps by user permissions (admins see everything)
|
||||
if let Some(ref user) = user {
|
||||
if !user.is_admin {
|
||||
let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
|
||||
for (server_name, apps) in get_apps_resp.apps.iter_mut() {
|
||||
apps.retain(|app| {
|
||||
permissions.iter().any(|p| {
|
||||
p.server == *server_name && p.app_id == app.id as i64
|
||||
})
|
||||
});
|
||||
}
|
||||
get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
|
||||
if !user.is_admin {
|
||||
let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
|
||||
for (server_name, apps) in get_apps_resp.apps.iter_mut() {
|
||||
apps.retain(|app| {
|
||||
permissions.iter().any(|p| {
|
||||
p.server == *server_name && p.app_id == app.id as i64
|
||||
})
|
||||
});
|
||||
}
|
||||
get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
|
||||
}
|
||||
|
||||
Ok(Json(get_apps_resp))
|
||||
|
||||
@@ -85,31 +85,17 @@ impl crate::proxy::Proxy {
|
||||
description: "Could not start stream".to_string(),
|
||||
});
|
||||
|
||||
// Validate single-use stream token
|
||||
// Validate single-use stream token via the shared helper so this
|
||||
// handler and its unit tests exercise the same code path.
|
||||
let provided_token = req.query::<String>("token").unwrap_or_default();
|
||||
{
|
||||
let mut token_guard = self.stream_token.write().await;
|
||||
match token_guard.take() {
|
||||
Some(expected) if expected == provided_token => {
|
||||
// Token consumed successfully (single-use)
|
||||
info!("Stream token validated and consumed");
|
||||
}
|
||||
Some(_) => {
|
||||
error!("Invalid stream token provided");
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::UNAUTHORIZED,
|
||||
description: "Invalid stream token".to_string(),
|
||||
});
|
||||
}
|
||||
None => {
|
||||
error!("Stream token already consumed");
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::UNAUTHORIZED,
|
||||
description: "Stream token already used".to_string(),
|
||||
});
|
||||
}
|
||||
}
|
||||
if let Err(msg) = super::validate_stream_token(&self, &provided_token).await {
|
||||
error!("Stream token validation failed: {msg}");
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::UNAUTHORIZED,
|
||||
description: msg,
|
||||
});
|
||||
}
|
||||
info!("Stream token validated and consumed");
|
||||
|
||||
info!("WebTransport connection initiated");
|
||||
let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await
|
||||
|
||||
@@ -85,8 +85,9 @@ pub async fn validate_stream_token(proxy: &Proxy, provided: &str) -> std::result
|
||||
match token_guard.take() {
|
||||
Some(expected) if expected == provided => Ok(()),
|
||||
Some(_) => {
|
||||
// Put the token back since it wasn't matched
|
||||
// Actually no — the design is that any attempt consumes it for security
|
||||
// Wrong token: still consumed by the `take()` above. Any validation
|
||||
// attempt — correct or not — invalidates the token, so a wrong
|
||||
// guess cannot be followed by a correct one.
|
||||
Err("Invalid stream token".to_string())
|
||||
}
|
||||
None => Err("Stream token already used".to_string()),
|
||||
|
||||
@@ -90,20 +90,28 @@ impl crate::backend::Backend {
|
||||
});
|
||||
|
||||
// Check app permission
|
||||
if let Some(user) = auth::get_user_from_depot(depot) {
|
||||
if !user.is_admin {
|
||||
match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
|
||||
Ok(true) => {}
|
||||
Ok(false) => {
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::FORBIDDEN,
|
||||
description: "You do not have permission to access this application".to_string(),
|
||||
});
|
||||
}
|
||||
Err(e) => {
|
||||
error!("Permission check error: {e}");
|
||||
return standard_error;
|
||||
}
|
||||
let user = match auth::get_user_from_depot(depot) {
|
||||
Some(u) => u.clone(),
|
||||
None => {
|
||||
error!("post_stream_start reached without authenticated user in depot");
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::UNAUTHORIZED,
|
||||
description: "Not authenticated".to_string(),
|
||||
});
|
||||
}
|
||||
};
|
||||
if !user.is_admin {
|
||||
match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
|
||||
Ok(true) => {}
|
||||
Ok(false) => {
|
||||
return Err(AppError {
|
||||
status_code: StatusCode::FORBIDDEN,
|
||||
description: "You do not have permission to access this application".to_string(),
|
||||
});
|
||||
}
|
||||
Err(e) => {
|
||||
error!("Permission check error: {e}");
|
||||
return standard_error;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user