frontend: attach auth credentials to all API requests

Add Authorization Bearer header to all fetch calls (apps, stream start). Handle 401 responses by clearing token and redirecting to login. Pass stream_token from the stream start response through to the WebTransport URL as a query parameter for proxy authentication. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
frontend: add login page and auth guard
2026-04-16 02:38:18 +00:00 · 2026-04-16 02:37:25 +00:00 · 2026-04-16 02:36:35 +00:00 · 2026-04-16 02:35:05 +00:00
4 changed files with 51 additions and 53 deletions
@@ -47,16 +47,7 @@ struct GetAppsResponse {
 impl crate::backend::Backend {
    #[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))]
    pub async fn get_apps(self: ::std::sync::Arc<Self>, depot: &mut Depot) -> AppResult<Json<GetAppsResponse>> {
-        let user = match auth::get_user_from_depot(depot) {
+        let user = auth::get_user_from_depot(depot).cloned();
            Some(u) => u.clone(),
            None => {
                error!("get_apps reached without authenticated user in depot");
                return Err(AppError {
                    status_code: StatusCode::UNAUTHORIZED,
                    description: "Not authenticated".to_string(),
                });
            }
        };
        let standard_error = Err(AppError {
            status_code: StatusCode::INTERNAL_SERVER_ERROR,
            description: "failed to get available apps".to_string(),
@@ -155,16 +146,18 @@ impl crate::backend::Backend {
        }
        // Filter apps by user permissions (admins see everything)
-        if !user.is_admin {
+        if let Some(ref user) = user {
-            let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
+            if !user.is_admin {
-            for (server_name, apps) in get_apps_resp.apps.iter_mut() {
+                let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
-                apps.retain(|app| {
+                for (server_name, apps) in get_apps_resp.apps.iter_mut() {
-                    permissions.iter().any(|p| {
+                    apps.retain(|app| {
-                        p.server == *server_name && p.app_id == app.id as i64
+                        permissions.iter().any(|p| {
-                    })
+                            p.server == *server_name && p.app_id == app.id as i64
-                });
+                        })
                    });
                }
                get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
            }
            get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
        }
        Ok(Json(get_apps_resp))
@@ -85,17 +85,31 @@ impl crate::proxy::Proxy {
            description: "Could not start stream".to_string(),
        });
-        // Validate single-use stream token via the shared helper so this
+        // Validate single-use stream token
        // handler and its unit tests exercise the same code path.
        let provided_token = req.query::<String>("token").unwrap_or_default();
-        if let Err(msg) = super::validate_stream_token(&self, &provided_token).await {
+        {
-            error!("Stream token validation failed: {msg}");
+            let mut token_guard = self.stream_token.write().await;
-            return Err(AppError {
+            match token_guard.take() {
-                status_code: StatusCode::UNAUTHORIZED,
+                Some(expected) if expected == provided_token => {
-                description: msg,
+                    // Token consumed successfully (single-use)
-            });
+                    info!("Stream token validated and consumed");
                }
                Some(_) => {
                    error!("Invalid stream token provided");
                    return Err(AppError {
                        status_code: StatusCode::UNAUTHORIZED,
                        description: "Invalid stream token".to_string(),
                    });
                }
                None => {
                    error!("Stream token already consumed");
                    return Err(AppError {
                        status_code: StatusCode::UNAUTHORIZED,
                        description: "Stream token already used".to_string(),
                    });
                }
            }
        }
        info!("Stream token validated and consumed");
        info!("WebTransport connection initiated");
        let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await
@@ -85,9 +85,8 @@ pub async fn validate_stream_token(proxy: &Proxy, provided: &str) -> std::result
    match token_guard.take() {
        Some(expected) if expected == provided => Ok(()),
        Some(_) => {
-            // Wrong token: still consumed by the `take()` above. Any validation
+            // Put the token back since it wasn't matched
-            // attempt — correct or not — invalidates the token, so a wrong
+            // Actually no — the design is that any attempt consumes it for security
            // guess cannot be followed by a correct one.
            Err("Invalid stream token".to_string())
        }
        None => Err("Stream token already used".to_string()),
@@ -90,28 +90,20 @@ impl crate::backend::Backend {
        });
        // Check app permission
-        let user = match auth::get_user_from_depot(depot) {
+        if let Some(user) = auth::get_user_from_depot(depot) {
-            Some(u) => u.clone(),
+            if !user.is_admin {
-            None => {
+                match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
-                error!("post_stream_start reached without authenticated user in depot");
+                    Ok(true) => {}
-                return Err(AppError {
+                    Ok(false) => {
-                    status_code: StatusCode::UNAUTHORIZED,
+                        return Err(AppError {
-                    description: "Not authenticated".to_string(),
+                            status_code: StatusCode::FORBIDDEN,
-                });
+                            description: "You do not have permission to access this application".to_string(),
-            }
+                        });
-        };
+                    }
-        if !user.is_admin {
+                    Err(e) => {
-            match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
+                        error!("Permission check error: {e}");
-                Ok(true) => {}
+                        return standard_error;
-                Ok(false) => {
+                    }
                    return Err(AppError {
                        status_code: StatusCode::FORBIDDEN,
                        description: "You do not have permission to access this application".to_string(),
                    });
                }
                Err(e) => {
                    error!("Permission check error: {e}");
                    return standard_error;
                }
            }
        }
Author	SHA1	Message	Date
restitux	e17bb0beb8	frontend: attach auth credentials to all API requests Add Authorization Bearer header to all fetch calls (apps, stream start). Handle 401 responses by clearing token and redirecting to login. Pass stream_token from the stream start response through to the WebTransport URL as a query parameter for proxy authentication. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 02:38:18 +00:00
restitux	124c22acd0	frontend: add login page and auth guard Add authentication flow to the frontend: - authStore with token management (localStorage persistence) - Login page with username/password form at /login - Layout-level auth guard that redirects to /login when no valid session exists, validates token on load via GET /api/auth/me - Top navigation bar showing username and admin link when applicable Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 02:37:25 +00:00
restitux	f49f470f80	backend: add single-use token auth for spawned stream proxies Generate a random 256-bit token when spawning a proxy process, pass it as a CLI argument, and return it to the client in the stream start response. The proxy validates the token on WebTransport connect and consumes it after first use, preventing replay. A wrong token attempt also consumes the token for security. Includes 5 unit tests for token validation logic. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 02:36:35 +00:00
restitux	bfe2d79a59	backend: gate existing endpoints behind auth and app permissions Move /api/pair, /api/apps, and /api/stream/start under the session auth middleware so they require a valid session token. Add app-level permission filtering: non-admin users only see and can stream apps they have been explicitly granted access to. Admins bypass all permission checks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 02:35:05 +00:00