restitux/gamestream-webtransport-proxy
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

base: restitux/gamestream-webtransport-proxy:6a0c97dd9efeecf959a404e759d291f046370f9e
Branches Tags
restitux/gamestream-webtransport-proxy:main restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management
..
compare: restitux/gamestream-webtransport-proxy:786579a7d8fac594cf0e5545e0e022d9e65c62a7
Branches Tags
restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management restitux/gamestream-webtransport-proxy:main

3 Commits
6a0c97dd9e .. 786579a7d8

Author SHA1 Message Date
restitux 786579a7d8 frontend: attach auth credentials to all API requests 
Add Authorization Bearer header to all fetch calls (apps, stream
start). Handle 401 responses by clearing token and redirecting to
login. Pass stream_token from the stream start response through to
the WebTransport URL as a query parameter for proxy authentication.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:36:29 +00:00
restitux af9359bbdf frontend: add login page and auth guard 
Add authentication flow to the frontend:
- authStore with token management (localStorage persistence)
- Login page with username/password form at /login
- Layout-level auth guard that redirects to /login when no valid
  session exists, validates token on load via GET /api/auth/me
- Top navigation bar showing username and admin link when applicable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:36:29 +00:00
restitux b8c705554f backend: add single-use token auth for spawned stream proxies 
Generate a random 256-bit token when spawning a proxy process, pass
it as a CLI argument, and return it to the client in the stream start
response. The proxy validates the token on WebTransport connect and
consumes it after first use, preventing replay. A wrong token attempt
also consumes the token for security. Includes 5 unit tests for token
validation logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:36:29 +00:00
1 changed files with 9 additions and 23 deletions
Expand all files Collapse all files
gamestream-webtransport-proxy/src/proxy/handler.rs
+9 -23
View File
@@ -85,31 +85,17 @@ impl crate::proxy::Proxy {
description: "Could not start stream".to_string(),
});
// Validate single-use stream token
// Validate single-use stream token via the shared helper so this
// handler and its unit tests exercise the same code path.
let provided_token = req.query::<String>("token").unwrap_or_default();
{
let mut token_guard = self.stream_token.write().await;
match token_guard.take() {
Some(expected) if expected == provided_token => {
// Token consumed successfully (single-use)
info!("Stream token validated and consumed");
}
Some(_) => {
error!("Invalid stream token provided");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Invalid stream token".to_string(),
});
}
None => {
error!("Stream token already consumed");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Stream token already used".to_string(),
});
}
}
if let Err(msg) = super::validate_stream_token(&self, &provided_token).await {
error!("Stream token validation failed: {msg}");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: msg,
});
}
info!("Stream token validated and consumed");
info!("WebTransport connection initiated");
let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await