backend: gate existing endpoints behind auth and app permissions

Move /api/pair, /api/apps, and /api/stream/start under the session
auth middleware so they require a valid session token. Add app-level
permission filtering: non-admin users only see and can stream apps
they have been explicitly granted access to. Admins bypass all
permission checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

gamestream-webtransport-proxy/src/apps.rs

@@ -47,16 +47,7 @@ struct GetAppsResponse {
 impl crate::backend::Backend {
     #[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))]
     pub async fn get_apps(self: ::std::sync::Arc<Self>, depot: &mut Depot) -> AppResult<Json<GetAppsResponse>> {
-        let user = match auth::get_user_from_depot(depot) {
+        let user = auth::get_user_from_depot(depot).cloned();
-            Some(u) => u.clone(),
-            None => {
-                error!("get_apps reached without authenticated user in depot");
-                return Err(AppError {
-                    status_code: StatusCode::UNAUTHORIZED,
-                    description: "Not authenticated".to_string(),
-                });
-            }
-        };
         let standard_error = Err(AppError {
             status_code: StatusCode::INTERNAL_SERVER_ERROR,
             description: "failed to get available apps".to_string(),
@@ -155,16 +146,18 @@ impl crate::backend::Backend {
         }
 
         // Filter apps by user permissions (admins see everything)
-        if !user.is_admin {
+        if let Some(ref user) = user {
-            let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
+            if !user.is_admin {
-            for (server_name, apps) in get_apps_resp.apps.iter_mut() {
+                let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
-                apps.retain(|app| {
+                for (server_name, apps) in get_apps_resp.apps.iter_mut() {
-                    permissions.iter().any(|p| {
+                    apps.retain(|app| {
-                        p.server == *server_name && p.app_id == app.id as i64
+                        permissions.iter().any(|p| {
-                    })
+                            p.server == *server_name && p.app_id == app.id as i64
-                });
+                        })
+                    });
+                }
+                get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
             }
-            get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
         }
 
         Ok(Json(get_apps_resp))

gamestream-webtransport-proxy/src/main.rs

@@ -124,9 +124,9 @@ async fn run_backend(port: u16) -> Result<()> {
     Ok(())
 }
 
-async fn run_proxy(port: u16, stream_id: uuid::Uuid, stream_token: String) -> Result<()> {
+async fn run_proxy(port: u16, stream_id: uuid::Uuid) -> Result<()> {
     let (config, cert_hash) = certs::get_webtransport_stream_config(stream_id)?;
-    let proxy = proxy::Proxy::new(cert_hash, stream_token);
+    let proxy = proxy::Proxy::new(cert_hash);
     let proxy_arc = std::sync::Arc::new(proxy);
 
     let router = Router::new()
@@ -166,11 +166,8 @@ async fn main() -> anyhow::Result<()> {
                     .nth(3)
                     .ok_or(anyhow!("Cert ID argument missing"))?,
             )?;
-            let stream_token = std::env::args()
-                .nth(4)
-                .ok_or(anyhow!("Stream token argument missing"))?;
 
-            run_proxy(port, stream_id, stream_token).await
+            run_proxy(port, stream_id).await
         }
         _ => Err(anyhow!("Unknown mode: {mode}")),
     }

gamestream-webtransport-proxy/src/proxy/handler.rs

@@ -85,18 +85,6 @@ impl crate::proxy::Proxy {
             description: "Could not start stream".to_string(),
         });
 
-        // Validate single-use stream token via the shared helper so this
-        // handler and its unit tests exercise the same code path.
-        let provided_token = req.query::<String>("token").unwrap_or_default();
-        if let Err(msg) = super::validate_stream_token(&self, &provided_token).await {
-            error!("Stream token validation failed: {msg}");
-            return Err(AppError {
-                status_code: StatusCode::UNAUTHORIZED,
-                description: msg,
-            });
-        }
-        info!("Stream token validated and consumed");
-
         info!("WebTransport connection initiated");
         let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await
         {

gamestream-webtransport-proxy/src/proxy/mod.rs

@@ -11,16 +11,16 @@ mod video;
 
 pub struct Proxy {
     pub cert_hash: [u8; 32],
+    //pub cert_hash: String,
     pub stream: RwLock<Option<backend::Stream>>,
-    pub stream_token: RwLock<Option<String>>,
 }
 
 impl Proxy {
-    pub fn new(cert_hash: [u8; 32], stream_token: String) -> Self {
+    pub fn new(cert_hash: [u8; 32]) -> Self {
+        //pub fn new(cert_hash: String) -> Self {
         Proxy {
             stream: RwLock::new(None),
             cert_hash,
-            stream_token: RwLock::new(Some(stream_token)),
         }
     }
 }
@@ -78,22 +78,6 @@ async fn proxy_main(
     Ok(())
 }
 
-/// Validate a provided token against the stored token. Consumes the token on success (single-use).
-/// Returns Ok(()) if valid, Err with description if invalid or already consumed.
-pub async fn validate_stream_token(proxy: &Proxy, provided: &str) -> std::result::Result<(), String> {
-    let mut token_guard = proxy.stream_token.write().await;
-    match token_guard.take() {
-        Some(expected) if expected == provided => Ok(()),
-        Some(_) => {
-            // Wrong token: still consumed by the `take()` above. Any validation
-            // attempt — correct or not — invalidates the token, so a wrong
-            // guess cannot be followed by a correct one.
-            Err("Invalid stream token".to_string())
-        }
-        None => Err("Stream token already used".to_string()),
-    }
-}
-
 async fn spawn_gamestream(stream: backend::Stream) -> Result<Channels> {
     let (tx, rx) = tokio::sync::oneshot::channel();
     let (stop_tx, stop_rx) = tokio::sync::oneshot::channel::<()>();
@@ -115,59 +99,3 @@ async fn spawn_gamestream(stream: backend::Stream) -> Result<Channels> {
             .context("Could not get gamestream communication channels")?,
     })
 }
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn make_proxy(token: &str) -> Proxy {
-        Proxy {
-            cert_hash: [0u8; 32],
-            stream: RwLock::new(None),
-            stream_token: RwLock::new(Some(token.to_string())),
-        }
-    }
-
-    #[tokio::test]
-    async fn test_valid_token_accepted() {
-        let proxy = make_proxy("abc123");
-        let result = validate_stream_token(&proxy, "abc123").await;
-        assert!(result.is_ok());
-    }
-
-    #[tokio::test]
-    async fn test_wrong_token_rejected() {
-        let proxy = make_proxy("abc123");
-        let result = validate_stream_token(&proxy, "wrong").await;
-        assert!(result.is_err());
-        assert_eq!(result.unwrap_err(), "Invalid stream token");
-    }
-
-    #[tokio::test]
-    async fn test_missing_token_rejected() {
-        let proxy = make_proxy("abc123");
-        let result = validate_stream_token(&proxy, "").await;
-        assert!(result.is_err());
-    }
-
-    #[tokio::test]
-    async fn test_token_consumed_after_use() {
-        let proxy = make_proxy("abc123");
-        let first = validate_stream_token(&proxy, "abc123").await;
-        assert!(first.is_ok());
-
-        let second = validate_stream_token(&proxy, "abc123").await;
-        assert!(second.is_err());
-        assert_eq!(second.unwrap_err(), "Stream token already used");
-    }
-
-    #[tokio::test]
-    async fn test_wrong_attempt_consumes_token() {
-        let proxy = make_proxy("abc123");
-        // Wrong token attempt should consume it
-        let _ = validate_stream_token(&proxy, "wrong").await;
-        // Correct token should also fail now
-        let result = validate_stream_token(&proxy, "abc123").await;
-        assert!(result.is_err());
-    }
-}

gamestream-webtransport-proxy/src/stream.rs

@@ -25,7 +25,7 @@ struct PostStreamStartParams {
 struct PostStreamStartResponse {
     url: String,
     cert_hash: [u8; 32],
-    stream_token: String,
+    //cert_hash: String,
 }
 
 #[derive(Deserialize)]
@@ -90,28 +90,20 @@ impl crate::backend::Backend {
         });
 
         // Check app permission
-        let user = match auth::get_user_from_depot(depot) {
+        if let Some(user) = auth::get_user_from_depot(depot) {
-            Some(u) => u.clone(),
+            if !user.is_admin {
-            None => {
+                match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
-                error!("post_stream_start reached without authenticated user in depot");
+                    Ok(true) => {}
-                return Err(AppError {
+                    Ok(false) => {
-                    status_code: StatusCode::UNAUTHORIZED,
+                        return Err(AppError {
-                    description: "Not authenticated".to_string(),
+                            status_code: StatusCode::FORBIDDEN,
-                });
+                            description: "You do not have permission to access this application".to_string(),
-            }
+                        });
-        };
+                    }
-        if !user.is_admin {
+                    Err(e) => {
-            match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
+                        error!("Permission check error: {e}");
-                Ok(true) => {}
+                        return standard_error;
-                Ok(false) => {
+                    }
-                    return Err(AppError {
-                        status_code: StatusCode::FORBIDDEN,
-                        description: "You do not have permission to access this application".to_string(),
-                    });
-                }
-                Err(e) => {
-                    error!("Permission check error: {e}");
-                    return standard_error;
                 }
             }
         }
@@ -301,19 +293,6 @@ impl crate::backend::Backend {
 
         let port = self.port + <u16>::try_from((*writer).len()).unwrap();
 
-        // Generate single-use stream token for proxy authentication
-        let stream_token = {
-            let mut bytes = [0u8; 32];
-            openssl::rand::rand_bytes(&mut bytes).map_err(|e| {
-                error!("Failed to generate stream token: {e}");
-                AppError {
-                    status_code: StatusCode::INTERNAL_SERVER_ERROR,
-                    description: "Could not start stream".to_string(),
-                }
-            })?;
-            hex::encode(bytes)
-        };
-
         // Spawn WebTransport proxy
         let binary_path = match std::env::current_exe() {
             Ok(b) => b,
@@ -327,7 +306,7 @@ impl crate::backend::Backend {
             stream_id, port
         );
         match tokio::process::Command::new(binary_path)
-            .args(["proxy", &port.to_string(), &stream_id.to_string(), &stream_token])
+            .args(["proxy", &port.to_string(), &stream_id.to_string()])
             .spawn()
         {
             Ok(_) => (),
@@ -368,7 +347,6 @@ impl crate::backend::Backend {
         let post_stream_response = PostStreamStartResponse {
             url: webtransport_url,
             cert_hash: setup_resp.cert_hash,
-            stream_token,
         };
 
         Ok(Json(post_stream_response))