restitux/gamestream-webtransport-proxy
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

base: restitux/gamestream-webtransport-proxy:bfe2d79a59ab4629bdaf041e3b1abc065544126e
Branches Tags
restitux/gamestream-webtransport-proxy:main restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management
..
compare: restitux/gamestream-webtransport-proxy:826a3b59c9492a368c0bb7c0ae0279ae7c2df8e4
Branches Tags
restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management restitux/gamestream-webtransport-proxy:main

1 Commits
bfe2d79a59 .. 826a3b59c9

Author SHA1 Message Date
restitux 826a3b59c9 backend: gate existing endpoints behind auth and app permissions 
Move /api/pair, /api/apps, and /api/stream/start under the session
auth middleware so they require a valid session token. Add app-level
permission filtering: non-admin users only see and can stream apps
they have been explicitly granted access to. Admins bypass all
permission checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:12:22 +00:00
2 changed files with 41 additions and 26 deletions
Expand all files Collapse all files
gamestream-webtransport-proxy/src/apps.rs
+10 -3
View File
@@ -47,7 +47,16 @@ struct GetAppsResponse {
impl crate::backend::Backend {
#[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))]
pub async fn get_apps(self: ::std::sync::Arc<Self>, depot: &mut Depot) -> AppResult<Json<GetAppsResponse>> {
let user = auth::get_user_from_depot(depot).cloned();
let user = match auth::get_user_from_depot(depot) {
Some(u) => u.clone(),
None => {
error!("get_apps reached without authenticated user in depot");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Not authenticated".to_string(),
});
}
};
let standard_error = Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "failed to get available apps".to_string(),
@@ -146,7 +155,6 @@ impl crate::backend::Backend {
}
// Filter apps by user permissions (admins see everything)
if let Some(ref user) = user {
if !user.is_admin {
let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
for (server_name, apps) in get_apps_resp.apps.iter_mut() {
@@ -158,7 +166,6 @@ impl crate::backend::Backend {
}
get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
}
}
Ok(Json(get_apps_resp))
}
gamestream-webtransport-proxy/src/stream.rs
+10 -2
View File
@@ -90,7 +90,16 @@ impl crate::backend::Backend {
});
// Check app permission
if let Some(user) = auth::get_user_from_depot(depot) {
let user = match auth::get_user_from_depot(depot) {
Some(u) => u.clone(),
None => {
error!("post_stream_start reached without authenticated user in depot");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Not authenticated".to_string(),
});
}
};
if !user.is_admin {
match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
Ok(true) => {}
@@ -106,7 +115,6 @@ impl crate::backend::Backend {
}
}
}
}
let reader = self.state.read().await;