restitux/gamestream-webtransport-proxy
1
0
Fork 0
Code Issues Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: restitux/gamestream-webtransport-proxy:main
Branches Tags
restitux/gamestream-webtransport-proxy:main restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management
...
pull from: restitux/gamestream-webtransport-proxy:auth/4-frontend-login
Branches Tags
restitux/gamestream-webtransport-proxy:auth/3-stream-proxy-token restitux/gamestream-webtransport-proxy:auth/4-frontend-login restitux/gamestream-webtransport-proxy:auth/5-attach-credentials restitux/gamestream-webtransport-proxy:auth/6-admin-panel restitux/gamestream-webtransport-proxy:auth/2-gate-endpoints restitux/gamestream-webtransport-proxy:auth/1-user-management restitux/gamestream-webtransport-proxy:main

4 Commits
main ... auth/4-frontend-login

Author SHA1 Message Date
restitux af9359bbdf frontend: add login page and auth guard 
Add authentication flow to the frontend:
- authStore with token management (localStorage persistence)
- Login page with username/password form at /login
- Layout-level auth guard that redirects to /login when no valid
  session exists, validates token on load via GET /api/auth/me
- Top navigation bar showing username and admin link when applicable

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:36:29 +00:00
restitux b8c705554f backend: add single-use token auth for spawned stream proxies 
Generate a random 256-bit token when spawning a proxy process, pass
it as a CLI argument, and return it to the client in the stream start
response. The proxy validates the token on WebTransport connect and
consumes it after first use, preventing replay. A wrong token attempt
also consumes the token for security. Includes 5 unit tests for token
validation logic.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:36:29 +00:00
restitux 826a3b59c9 backend: gate existing endpoints behind auth and app permissions 
Move /api/pair, /api/apps, and /api/stream/start under the session
auth middleware so they require a valid session token. Add app-level
permission filtering: non-admin users only see and can stream apps
they have been explicitly granted access to. Admins bypass all
permission checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 15:12:22 +00:00
restitux 22f9405229 backend: add user management system with SQLite database 
Add authentication and authorization infrastructure:
- SQLite database (db.rs) with users, sessions, and app permissions tables
- Password hashing with argon2
- Session-based auth with random 256-bit tokens
- Auth middleware (session validation) and admin middleware
- Login/logout/me endpoints
- Admin CRUD endpoints for user and permission management
- Auto-seed default admin user on first run
- 23 unit tests covering all DB operations

Existing API endpoints are not yet gated behind auth.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-04-16 02:34:02 +00:00
13 changed files with 1608 additions and 40 deletions
Expand all files Collapse all files
Cargo.lock
Generated
+95
View File
@@ -93,6 +93,18 @@ version = "1.0.98"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487" checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
[[package]]
name = "argon2"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
dependencies = [
"base64ct",
"blake2",
"cpufeatures",
"password-hash",
]
[[package]] [[package]]
name = "arrayvec" name = "arrayvec"
version = "0.7.6" version = "0.7.6"
@@ -143,6 +155,12 @@ version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
[[package]]
name = "base64ct"
version = "1.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
[[package]] [[package]]
name = "bindgen" name = "bindgen"
version = "0.72.0" version = "0.72.0"
@@ -181,6 +199,15 @@ dependencies = [
"wyz", "wyz",
] ]
[[package]]
name = "blake2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
dependencies = [
"digest",
]
[[package]] [[package]]
name = "block-buffer" name = "block-buffer"
version = "0.10.4" version = "0.10.4"
@@ -531,6 +558,18 @@ dependencies = [
"xxhash-rust", "xxhash-rust",
] ]
[[package]]
name = "fallible-iterator"
version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2acce4a10f12dc2fb14a218589d4f1f62ef011b2d0cc4b3cb1bba8e94da14649"
[[package]]
name = "fallible-streaming-iterator"
version = "0.1.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7360491ce676a36bf9bb3c56c1aa791658183a54d2744120f27285738d90465a"
[[package]] [[package]]
name = "fastrand" name = "fastrand"
version = "2.3.0" version = "2.3.0"
@@ -553,6 +592,12 @@ version = "1.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
[[package]]
name = "foldhash"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
[[package]] [[package]]
name = "foreign-types" name = "foreign-types"
version = "0.3.2" version = "0.3.2"
@@ -677,6 +722,7 @@ name = "gamestream-webtransport-proxy"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"argon2",
"directories", "directories",
"flatbuffers", "flatbuffers",
"getrandom 0.3.3", "getrandom 0.3.3",
@@ -690,6 +736,7 @@ dependencies = [
"openssl", "openssl",
"rand 0.9.1", "rand 0.9.1",
"reqwest", "reqwest",
"rusqlite",
"salvo", "salvo",
"serde", "serde",
"serde-xml-rs", "serde-xml-rs",
@@ -834,6 +881,18 @@ name = "hashbrown"
version = "0.15.4" version = "0.15.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5" checksum = "5971ac85611da7067dbfcabef3c70ebb5606018acd9e2a3903a0da507521e0d5"
dependencies = [
"foldhash",
]
[[package]]
name = "hashlink"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
dependencies = [
"hashbrown 0.15.4",
]
[[package]] [[package]]
name = "headers" name = "headers"
@@ -1256,6 +1315,17 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "libsqlite3-sys"
version = "0.32.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fbb8270bb4060bd76c6e96f20c52d80620f1d82a3470885694e41e0f81ef6fe7"
dependencies = [
"cc",
"pkg-config",
"vcpkg",
]
[[package]] [[package]]
name = "linux-raw-sys" name = "linux-raw-sys"
version = "0.9.4" version = "0.9.4"
@@ -1549,6 +1619,17 @@ dependencies = [
"windows-targets 0.52.6", "windows-targets 0.52.6",
] ]
[[package]]
name = "password-hash"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
dependencies = [
"base64ct",
"rand_core 0.6.4",
"subtle",
]
[[package]] [[package]]
name = "path-slash" name = "path-slash"
version = "0.2.1" version = "0.2.1"
@@ -1989,6 +2070,20 @@ dependencies = [
"syn 1.0.109", "syn 1.0.109",
] ]
[[package]]
name = "rusqlite"
version = "0.34.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37e34486da88d8e051c7c0e23c3f15fd806ea8546260aa2fec247e97242ec143"
dependencies = [
"bitflags",
"fallible-iterator",
"fallible-streaming-iterator",
"hashlink",
"libsqlite3-sys",
"smallvec",
]
[[package]] [[package]]
name = "rust-embed" name = "rust-embed"
version = "8.6.0" version = "8.6.0"
frontend/src/routes/+layout.svelte
+75 -22
View File
@@ -1,22 +1,67 @@
<script lang="ts"> <script lang="ts">
//import Header from './Header.svelte'; import { onMount } from 'svelte';
import { goto } from '$app/navigation';
import { page } from '$app/state';
import { isAuthenticated, getToken, handleUnauthorized } from './stores/authStore.svelte';
import '../app.css'; import '../app.css';
let { children } = $props(); let { children } = $props();
let userProfile: { username: string; is_admin: boolean } | null = $state(null);
let authChecked = $state(false);
onMount(async () => {
const currentPath = page.url.pathname;
if (currentPath === '/login') {
authChecked = true;
return;
}
if (!isAuthenticated()) {
await goto('/login');
authChecked = true;
return;
}
// Validate token by fetching user profile
try {
const response = await fetch('/api/auth/me', {
headers: { Authorization: `Bearer ${getToken()}` }
});
if (!response.ok) {
handleUnauthorized();
authChecked = true;
return;
}
userProfile = await response.json();
} catch {
handleUnauthorized();
}
authChecked = true;
});
</script> </script>
<div class="app"> <div class="app">
<!--<Header />--> {#if authChecked}
{#if userProfile && page.url.pathname !== '/login'}
<nav class="top-nav">
<a href="/" class="nav-link">Apps</a>
{#if userProfile.is_admin}
<a href="/admin" class="nav-link">Admin</a>
{/if}
<span class="nav-spacer"></span>
<span class="nav-user">{userProfile.username}</span>
</nav>
{/if}
<main> <main>
{@render children()} {@render children()}
</main> </main>
{/if}
<!--<footer>
<p>
visit <a href="https://svelte.dev/docs/kit">svelte.dev/docs/kit</a> to learn about SvelteKit
</p>
</footer>-->
</div> </div>
<style> <style>
@@ -27,31 +72,39 @@
} }
main { main {
/*flex: 1;*/
/*display: flex;*/
/*flex-direction: column;*/
/*padding: 1rem;*/
width: 100%; width: 100%;
/*max-width: 64rem;*/
margin: 0 auto; margin: 0 auto;
box-sizing: border-box; box-sizing: border-box;
} }
footer { .top-nav {
display: flex; display: flex;
flex-direction: column;
justify-content: center;
align-items: center; align-items: center;
padding: 12px; padding: 0.5rem 1rem;
background-color: #1a1a2e;
border-bottom: 1px solid #333;
} }
footer a { .nav-link {
font-weight: bold; color: #aaa;
text-decoration: none;
padding: 0.4rem 0.8rem;
border-radius: 4px;
font-size: 0.9rem;
} }
@media (min-width: 480px) { .nav-link:hover {
footer { color: #e0e0e0;
padding: 12px 0; background-color: #2a2a4e;
text-decoration: none;
} }
.nav-spacer {
flex-grow: 1;
}
.nav-user {
color: #888;
font-size: 0.85rem;
} }
</style> </style>
frontend/src/routes/login/+page.svelte
+166
View File
@@ -0,0 +1,166 @@
<script lang="ts">
import { goto } from '$app/navigation';
import { setToken, isAuthenticated } from '../stores/authStore.svelte';
import { onMount } from 'svelte';
let username = $state('');
let password = $state('');
let error = $state('');
let loading = $state(false);
onMount(() => {
if (isAuthenticated()) {
goto('/');
}
});
async function handleLogin(event: Event) {
event.preventDefault();
error = '';
loading = true;
try {
const response = await fetch('/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ username, password })
});
if (!response.ok) {
const data = await response.json().catch(() => null);
error = data?.description || 'Invalid username or password';
return;
}
const data = await response.json();
setToken(data.token);
await goto('/');
} catch (e) {
error = 'Connection error. Please try again.';
} finally {
loading = false;
}
}
</script>
<svelte:head>
<title>Login</title>
</svelte:head>
<div class="login-container">
<div class="login-box">
<h1>GameStream</h1>
<form onsubmit={handleLogin}>
<div class="field">
<label for="username">Username</label>
<input
id="username"
type="text"
bind:value={username}
autocomplete="username"
required
disabled={loading}
/>
</div>
<div class="field">
<label for="password">Password</label>
<input
id="password"
type="password"
bind:value={password}
autocomplete="current-password"
required
disabled={loading}
/>
</div>
{#if error}
<div class="error">{error}</div>
{/if}
<button type="submit" disabled={loading}>
{loading ? 'Signing in...' : 'Sign in'}
</button>
</form>
</div>
</div>
<style>
.login-container {
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
}
.login-box {
background-color: #1a1a2e;
border: 1px solid #333;
border-radius: 12px;
padding: 2.5rem;
width: 100%;
max-width: 380px;
}
h1 {
color: #e0e0e0;
margin: 0 0 1.5rem 0;
font-size: 1.5rem;
}
.field {
margin-bottom: 1rem;
}
label {
display: block;
color: #aaa;
font-size: 0.85rem;
margin-bottom: 0.3rem;
}
input {
width: 100%;
padding: 0.6rem 0.8rem;
border: 1px solid #444;
border-radius: 6px;
background-color: #0f0f23;
color: #e0e0e0;
font-size: 1rem;
box-sizing: border-box;
}
input:focus {
outline: none;
border-color: #00aaff;
}
input:disabled {
opacity: 0.6;
}
.error {
color: #ff4444;
font-size: 0.85rem;
margin-bottom: 1rem;
}
button {
width: 100%;
padding: 0.7rem;
border: none;
border-radius: 6px;
background-color: #00aaff;
color: white;
font-size: 1rem;
cursor: pointer;
transition: background-color 0.2s;
}
button:hover:not(:disabled) {
background-color: #0088cc;
}
button:disabled {
opacity: 0.6;
cursor: not-allowed;
}
</style>
frontend/src/routes/stores/authStore.svelte.ts
+43
View File
@@ -0,0 +1,43 @@
import { goto } from '$app/navigation';
interface AuthState {
token: string | null;
}
function loadToken(): string | null {
if (typeof window === 'undefined') return null;
return localStorage.getItem('auth_token');
}
export const authStore: AuthState = $state({
token: loadToken()
});
export function getToken(): string | null {
return authStore.token;
}
export function setToken(token: string) {
authStore.token = token;
localStorage.setItem('auth_token', token);
}
export function clearToken() {
authStore.token = null;
localStorage.removeItem('auth_token');
}
export function isAuthenticated(): boolean {
return authStore.token !== null;
}
export function requireAuth() {
if (!isAuthenticated()) {
goto('/login');
}
}
export function handleUnauthorized() {
clearToken();
goto('/login');
}
gamestream-webtransport-proxy/Cargo.toml
+2
View File
@@ -5,6 +5,7 @@ edition = "2024"
[dependencies] [dependencies]
anyhow = "1.0.98" anyhow = "1.0.98"
argon2 = "0.5"
directories = "6.0.0" directories = "6.0.0"
flatbuffers = "25.2.10" flatbuffers = "25.2.10"
getrandom = { version = "0.3.3", features = ["std"] } getrandom = { version = "0.3.3", features = ["std"] }
@@ -17,6 +18,7 @@ libc = "0.2.174"
moonlight-common-c-sys = { path = "../moonlight-common-c-sys" } moonlight-common-c-sys = { path = "../moonlight-common-c-sys" }
openssl = "0.10.73" openssl = "0.10.73"
rand = "0.9.1" rand = "0.9.1"
rusqlite = { version = "0.34", features = ["bundled"] }
reqwest = { version = "0.12.20", features = [ reqwest = { version = "0.12.20", features = [
"rustls-tls", "rustls-tls",
"native-tls", "native-tls",
gamestream-webtransport-proxy/src/apps.rs
+25 -1
View File
@@ -5,6 +5,7 @@ use serde::{Deserialize, Serialize};
use tracing::{debug, error}; use tracing::{debug, error};
use crate::{ use crate::{
auth,
common, common,
common::{AppError, AppResult}, common::{AppError, AppResult},
responses, responses,
@@ -45,7 +46,17 @@ struct GetAppsResponse {
#[craft] #[craft]
impl crate::backend::Backend { impl crate::backend::Backend {
#[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))] #[craft(endpoint(status_codes(StatusCode::OK, StatusCode::INTERNAL_SERVER_ERROR)))]
pub async fn get_apps(self: ::std::sync::Arc<Self>) -> AppResult<Json<GetAppsResponse>> { pub async fn get_apps(self: ::std::sync::Arc<Self>, depot: &mut Depot) -> AppResult<Json<GetAppsResponse>> {
let user = match auth::get_user_from_depot(depot) {
Some(u) => u.clone(),
None => {
error!("get_apps reached without authenticated user in depot");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Not authenticated".to_string(),
});
}
};
let standard_error = Err(AppError { let standard_error = Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR, status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "failed to get available apps".to_string(), description: "failed to get available apps".to_string(),
@@ -143,6 +154,19 @@ impl crate::backend::Backend {
get_apps_resp.apps.insert(server.name, resp_vec); get_apps_resp.apps.insert(server.name, resp_vec);
} }
// Filter apps by user permissions (admins see everything)
if !user.is_admin {
let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
for (server_name, apps) in get_apps_resp.apps.iter_mut() {
apps.retain(|app| {
permissions.iter().any(|p| {
p.server == *server_name && p.app_id == app.id as i64
})
});
}
get_apps_resp.apps.retain(|_, apps| !apps.is_empty());
}
Ok(Json(get_apps_resp)) Ok(Json(get_apps_resp))
} }
} }
gamestream-webtransport-proxy/src/auth.rs
+326
View File
@@ -0,0 +1,326 @@
use std::sync::Arc;
use salvo::prelude::*;
use serde::{Deserialize, Serialize};
use tracing::error;
use crate::common::{AppError, AppResult};
use crate::db::{AppPermission, Db, User};
const SESSION_MAX_AGE_SECONDS: i64 = 7 * 24 * 3600; // 7 days
// Key used to store the authenticated user in the Salvo Depot
const USER_DEPOT_KEY: &str = "authenticated_user";
pub fn get_user_from_depot(depot: &Depot) -> Option<&User> {
depot.get::<User>(USER_DEPOT_KEY).ok()
}
// -- Middleware --
pub struct SessionAuthMiddleware {
pub db: Arc<Db>,
}
#[handler]
impl SessionAuthMiddleware {
async fn handle(&self, req: &mut Request, depot: &mut Depot, res: &mut Response, ctrl: &mut FlowCtrl) {
let token = req
.headers()
.get("authorization")
.and_then(|v| v.to_str().ok())
.and_then(|v| v.strip_prefix("Bearer "));
let token = match token {
Some(t) => t,
None => {
res.status_code(StatusCode::UNAUTHORIZED);
Json(serde_json::json!({"description": "Missing or invalid Authorization header"})).render(res);
ctrl.skip_rest();
return;
}
};
match self.db.validate_session(token) {
Ok(Some(user)) => {
depot.insert(USER_DEPOT_KEY, user);
}
Ok(None) => {
res.status_code(StatusCode::UNAUTHORIZED);
Json(serde_json::json!({"description": "Invalid or expired session"})).render(res);
ctrl.skip_rest();
return;
}
Err(e) => {
error!("Session validation error: {e}");
res.status_code(StatusCode::INTERNAL_SERVER_ERROR);
Json(serde_json::json!({"description": "Internal server error"})).render(res);
ctrl.skip_rest();
return;
}
}
}
}
pub struct AdminCheckMiddleware;
#[handler]
impl AdminCheckMiddleware {
async fn handle(&self, _req: &mut Request, depot: &mut Depot, res: &mut Response, ctrl: &mut FlowCtrl) {
let user = match get_user_from_depot(depot) {
Some(u) => u,
None => {
res.status_code(StatusCode::UNAUTHORIZED);
Json(serde_json::json!({"description": "Not authenticated"})).render(res);
ctrl.skip_rest();
return;
}
};
if !user.is_admin {
res.status_code(StatusCode::FORBIDDEN);
Json(serde_json::json!({"description": "Admin access required"})).render(res);
ctrl.skip_rest();
return;
}
}
}
// -- Request/Response types --
#[derive(Deserialize, ToSchema)]
pub struct LoginRequest {
pub username: String,
pub password: String,
}
#[derive(Serialize, ToSchema)]
pub struct LoginResponse {
pub token: String,
}
#[derive(Serialize, ToSchema)]
pub struct MeResponse {
pub username: String,
pub is_admin: bool,
pub permissions: Vec<AppPermission>,
}
#[derive(Deserialize, ToSchema)]
pub struct CreateUserRequest {
pub username: String,
pub password: String,
pub is_admin: bool,
}
#[derive(Deserialize, ToSchema)]
pub struct UpdateUserRequest {
pub password: Option<String>,
pub is_admin: Option<bool>,
}
#[derive(Deserialize, ToSchema)]
pub struct SetPermissionsRequest {
pub permissions: Vec<AppPermission>,
}
// -- Auth endpoint handlers --
#[craft]
impl crate::backend::Backend {
#[craft(handler)]
pub async fn login(
self: Arc<Self>,
body: salvo::oapi::extract::JsonBody<LoginRequest>,
) -> AppResult<Json<LoginResponse>> {
let user = match self.db.verify_password(&body.username, &body.password) {
Ok(Some(u)) => u,
Ok(None) => {
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Invalid username or password".to_string(),
});
}
Err(e) => {
error!("Login error: {e}");
return Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Internal server error".to_string(),
});
}
};
let token = match self.db.create_session(&user.id, SESSION_MAX_AGE_SECONDS) {
Ok(t) => t,
Err(e) => {
error!("Session creation error: {e}");
return Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Internal server error".to_string(),
});
}
};
Ok(Json(LoginResponse { token }))
}
#[craft(handler)]
pub async fn logout(self: Arc<Self>, req: &mut Request) -> AppResult<Json<serde_json::Value>> {
let token = req
.headers()
.get("authorization")
.and_then(|v| v.to_str().ok())
.and_then(|v| v.strip_prefix("Bearer "))
.unwrap_or("");
let _ = self.db.delete_session(token);
Ok(Json(serde_json::json!({"status": "ok"})))
}
#[craft(handler)]
pub async fn me(self: Arc<Self>, depot: &mut Depot) -> AppResult<Json<MeResponse>> {
let user = match get_user_from_depot(depot) {
Some(u) => u.clone(),
None => {
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Not authenticated".to_string(),
});
}
};
let permissions = self.db.get_permissions(&user.id).unwrap_or_default();
Ok(Json(MeResponse {
username: user.username,
is_admin: user.is_admin,
permissions,
}))
}
// -- Admin endpoint handlers --
#[craft(handler)]
pub async fn admin_list_users(self: Arc<Self>) -> AppResult<Json<Vec<User>>> {
match self.db.list_users() {
Ok(users) => Ok(Json(users)),
Err(e) => {
error!("List users error: {e}");
Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Failed to list users".to_string(),
})
}
}
}
#[craft(handler)]
pub async fn admin_create_user(
self: Arc<Self>,
body: salvo::oapi::extract::JsonBody<CreateUserRequest>,
) -> AppResult<Json<User>> {
match self
.db
.create_user(&body.username, &body.password, body.is_admin)
{
Ok(user) => Ok(Json(user)),
Err(e) => {
error!("Create user error: {e}");
Err(AppError {
status_code: StatusCode::BAD_REQUEST,
description: format!("Failed to create user: {e}"),
})
}
}
}
#[craft(handler)]
pub async fn admin_update_user(
self: Arc<Self>,
req: &mut Request,
body: salvo::oapi::extract::JsonBody<UpdateUserRequest>,
) -> AppResult<Json<serde_json::Value>> {
let user_id = req.param::<String>("id").unwrap_or_default();
match self
.db
.update_user(&user_id, body.password.as_deref(), body.is_admin)
{
Ok(true) => Ok(Json(serde_json::json!({"status": "ok"}))),
Ok(false) => Err(AppError {
status_code: StatusCode::NOT_FOUND,
description: "User not found".to_string(),
}),
Err(e) => {
error!("Update user error: {e}");
Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Failed to update user".to_string(),
})
}
}
}
#[craft(handler)]
pub async fn admin_delete_user(
self: Arc<Self>,
req: &mut Request,
) -> AppResult<Json<serde_json::Value>> {
let user_id = req.param::<String>("id").unwrap_or_default();
match self.db.delete_user(&user_id) {
Ok(true) => Ok(Json(serde_json::json!({"status": "ok"}))),
Ok(false) => Err(AppError {
status_code: StatusCode::NOT_FOUND,
description: "User not found".to_string(),
}),
Err(e) => {
error!("Delete user error: {e}");
Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Failed to delete user".to_string(),
})
}
}
}
#[craft(handler)]
pub async fn admin_get_permissions(
self: Arc<Self>,
req: &mut Request,
) -> AppResult<Json<Vec<AppPermission>>> {
let user_id = req.param::<String>("id").unwrap_or_default();
match self.db.get_permissions(&user_id) {
Ok(perms) => Ok(Json(perms)),
Err(e) => {
error!("Get permissions error: {e}");
Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Failed to get permissions".to_string(),
})
}
}
}
#[craft(handler)]
pub async fn admin_set_permissions(
self: Arc<Self>,
req: &mut Request,
body: salvo::oapi::extract::JsonBody<SetPermissionsRequest>,
) -> AppResult<Json<serde_json::Value>> {
let user_id = req.param::<String>("id").unwrap_or_default();
match self.db.set_permissions(&user_id, &body.permissions) {
Ok(()) => Ok(Json(serde_json::json!({"status": "ok"}))),
Err(e) => {
error!("Set permissions error: {e}");
Err(AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Failed to set permissions".to_string(),
})
}
}
}
}
gamestream-webtransport-proxy/src/backend.rs
+12
View File
@@ -5,6 +5,7 @@ use salvo::oapi::ToSchema;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use tokio::sync::RwLock; use tokio::sync::RwLock;
use crate::db::Db;
use crate::state::StateFile; use crate::state::StateFile;
#[derive(Debug, Clone, Deserialize, Serialize)] #[derive(Debug, Clone, Deserialize, Serialize)]
@@ -89,14 +90,25 @@ pub struct Backend {
pub state: StateFile, pub state: StateFile,
pub streams: RwLock<HashMap<uuid::Uuid, Stream>>, pub streams: RwLock<HashMap<uuid::Uuid, Stream>>,
pub port: u16, pub port: u16,
pub db: Db,
} }
impl Backend { impl Backend {
pub fn new(port: u16) -> Result<Self> { pub fn new(port: u16) -> Result<Self> {
let project_dirs =
directories::ProjectDirs::from("xyz", "ohea", "gamestream-webtransport-proxy")
.ok_or(anyhow::anyhow!("Could not get project dirs"))?;
let data_dir = project_dirs.data_dir();
std::fs::create_dir_all(data_dir)?;
let db_path = data_dir.join("auth.db");
let db = Db::open(&db_path)?;
Ok(Backend { Ok(Backend {
state: StateFile::new()?, state: StateFile::new()?,
streams: RwLock::new(HashMap::new()), streams: RwLock::new(HashMap::new()),
port, port,
db,
}) })
} }
} }
gamestream-webtransport-proxy/src/db.rs
+659
View File
@@ -0,0 +1,659 @@
use std::path::Path;
use std::sync::Mutex;
use anyhow::{Context, Result};
use argon2::{
Argon2,
password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString, rand_core::OsRng},
};
use salvo::oapi::ToSchema;
use serde::{Deserialize, Serialize};
#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
pub struct User {
pub id: String,
pub username: String,
pub is_admin: bool,
pub created_at: String,
}
#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
pub struct AppPermission {
pub server: String,
pub app_id: i64,
}
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Session {
pub token: String,
pub user_id: String,
pub created_at: String,
pub expires_at: String,
}
pub struct Db {
conn: Mutex<rusqlite::Connection>,
}
impl Db {
pub fn open(path: &Path) -> Result<Self> {
let conn = rusqlite::Connection::open(path)?;
let db = Db {
conn: Mutex::new(conn),
};
db.init()?;
Ok(db)
}
fn init(&self) -> Result<()> {
let conn = self.conn.lock().unwrap();
conn.execute_batch("PRAGMA foreign_keys = ON;")?;
conn.execute_batch(
"CREATE TABLE IF NOT EXISTS users (
id TEXT PRIMARY KEY,
username TEXT UNIQUE NOT NULL,
password TEXT NOT NULL,
is_admin INTEGER NOT NULL DEFAULT 0,
created_at TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS user_app_permissions (
user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
server TEXT NOT NULL,
app_id INTEGER NOT NULL,
PRIMARY KEY (user_id, server, app_id)
);
CREATE TABLE IF NOT EXISTS sessions (
token TEXT PRIMARY KEY,
user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
created_at TEXT NOT NULL,
expires_at TEXT NOT NULL
);",
)?;
Ok(())
}
pub fn seed_admin_if_needed(&self) -> Result<Option<(String, String)>> {
let conn = self.conn.lock().unwrap();
let count: i64 = conn.query_row("SELECT COUNT(*) FROM users", [], |row| row.get(0))?;
if count > 0 {
return Ok(None);
}
drop(conn);
let password = generate_random_password();
let user = self.create_user("admin", &password, true)?;
Ok(Some((user.username, password)))
}
pub fn create_user(&self, username: &str, password: &str, is_admin: bool) -> Result<User> {
let id = uuid::Uuid::new_v4().to_string();
let password_hash = hash_password(password)?;
let created_at = now_iso8601();
let conn = self.conn.lock().unwrap();
conn.execute(
"INSERT INTO users (id, username, password, is_admin, created_at) VALUES (?1, ?2, ?3, ?4, ?5)",
rusqlite::params![id, username, password_hash, is_admin as i32, created_at],
).context("Failed to create user (username may already exist)")?;
Ok(User {
id,
username: username.to_string(),
is_admin,
created_at,
})
}
pub fn verify_password(&self, username: &str, password: &str) -> Result<Option<User>> {
let conn = self.conn.lock().unwrap();
let mut stmt = conn.prepare(
"SELECT id, username, password, is_admin, created_at FROM users WHERE username = ?1",
)?;
let mut rows = stmt.query(rusqlite::params![username])?;
let row = match rows.next()? {
Some(r) => r,
None => return Ok(None),
};
let id: String = row.get(0)?;
let uname: String = row.get(1)?;
let stored_hash: String = row.get(2)?;
let is_admin: bool = row.get::<_, i32>(3)? != 0;
let created_at: String = row.get(4)?;
let parsed_hash =
PasswordHash::new(&stored_hash).map_err(|e| anyhow::anyhow!("Invalid hash: {e}"))?;
if Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.is_err()
{
return Ok(None);
}
Ok(Some(User {
id,
username: uname,
is_admin,
created_at,
}))
}
pub fn get_user(&self, user_id: &str) -> Result<Option<User>> {
let conn = self.conn.lock().unwrap();
let mut stmt = conn.prepare(
"SELECT id, username, is_admin, created_at FROM users WHERE id = ?1",
)?;
let mut rows = stmt.query(rusqlite::params![user_id])?;
match rows.next()? {
Some(row) => Ok(Some(User {
id: row.get(0)?,
username: row.get(1)?,
is_admin: row.get::<_, i32>(2)? != 0,
created_at: row.get(3)?,
})),
None => Ok(None),
}
}
pub fn list_users(&self) -> Result<Vec<User>> {
let conn = self.conn.lock().unwrap();
let mut stmt =
conn.prepare("SELECT id, username, is_admin, created_at FROM users ORDER BY username")?;
let users = stmt
.query_map([], |row| {
Ok(User {
id: row.get(0)?,
username: row.get(1)?,
is_admin: row.get::<_, i32>(2)? != 0,
created_at: row.get(3)?,
})
})?
.collect::<std::result::Result<Vec<_>, _>>()?;
Ok(users)
}
pub fn update_user(
&self,
user_id: &str,
new_password: Option<&str>,
new_is_admin: Option<bool>,
) -> Result<bool> {
let conn = self.conn.lock().unwrap();
if let Some(password) = new_password {
let hash = hash_password(password)?;
conn.execute(
"UPDATE users SET password = ?1 WHERE id = ?2",
rusqlite::params![hash, user_id],
)?;
}
if let Some(is_admin) = new_is_admin {
conn.execute(
"UPDATE users SET is_admin = ?1 WHERE id = ?2",
rusqlite::params![is_admin as i32, user_id],
)?;
}
let changed = conn.changes() > 0;
Ok(changed)
}
pub fn delete_user(&self, user_id: &str) -> Result<bool> {
let conn = self.conn.lock().unwrap();
conn.execute("PRAGMA foreign_keys = ON;", [])?;
let rows = conn.execute("DELETE FROM users WHERE id = ?1", rusqlite::params![user_id])?;
Ok(rows > 0)
}
// Session management
pub fn create_session(&self, user_id: &str, max_age_seconds: i64) -> Result<String> {
let token = generate_session_token();
let created_at = now_iso8601();
let expires_at = future_iso8601(max_age_seconds);
let conn = self.conn.lock().unwrap();
conn.execute(
"INSERT INTO sessions (token, user_id, created_at, expires_at) VALUES (?1, ?2, ?3, ?4)",
rusqlite::params![token, user_id, created_at, expires_at],
)?;
Ok(token)
}
pub fn validate_session(&self, token: &str) -> Result<Option<User>> {
let conn = self.conn.lock().unwrap();
let now = now_iso8601();
let mut stmt = conn.prepare(
"SELECT u.id, u.username, u.is_admin, u.created_at
FROM sessions s
JOIN users u ON s.user_id = u.id
WHERE s.token = ?1 AND s.expires_at > ?2",
)?;
let mut rows = stmt.query(rusqlite::params![token, now])?;
match rows.next()? {
Some(row) => Ok(Some(User {
id: row.get(0)?,
username: row.get(1)?,
is_admin: row.get::<_, i32>(2)? != 0,
created_at: row.get(3)?,
})),
None => Ok(None),
}
}
pub fn delete_session(&self, token: &str) -> Result<bool> {
let conn = self.conn.lock().unwrap();
let rows = conn.execute(
"DELETE FROM sessions WHERE token = ?1",
rusqlite::params![token],
)?;
Ok(rows > 0)
}
pub fn cleanup_expired_sessions(&self) -> Result<usize> {
let conn = self.conn.lock().unwrap();
let now = now_iso8601();
let rows = conn.execute(
"DELETE FROM sessions WHERE expires_at <= ?1",
rusqlite::params![now],
)?;
Ok(rows)
}
// Permission management
pub fn set_permissions(&self, user_id: &str, permissions: &[AppPermission]) -> Result<()> {
let conn = self.conn.lock().unwrap();
conn.execute(
"DELETE FROM user_app_permissions WHERE user_id = ?1",
rusqlite::params![user_id],
)?;
let mut stmt = conn.prepare(
"INSERT INTO user_app_permissions (user_id, server, app_id) VALUES (?1, ?2, ?3)",
)?;
for perm in permissions {
stmt.execute(rusqlite::params![user_id, perm.server, perm.app_id])?;
}
Ok(())
}
pub fn get_permissions(&self, user_id: &str) -> Result<Vec<AppPermission>> {
let conn = self.conn.lock().unwrap();
let mut stmt = conn.prepare(
"SELECT server, app_id FROM user_app_permissions WHERE user_id = ?1",
)?;
let perms = stmt
.query_map(rusqlite::params![user_id], |row| {
Ok(AppPermission {
server: row.get(0)?,
app_id: row.get(1)?,
})
})?
.collect::<std::result::Result<Vec<_>, _>>()?;
Ok(perms)
}
pub fn check_app_permission(
&self,
user_id: &str,
server: &str,
app_id: i64,
) -> Result<bool> {
// Check if user is admin first
let conn = self.conn.lock().unwrap();
let is_admin: i32 = conn.query_row(
"SELECT is_admin FROM users WHERE id = ?1",
rusqlite::params![user_id],
|row| row.get(0),
)?;
if is_admin != 0 {
return Ok(true);
}
let count: i64 = conn.query_row(
"SELECT COUNT(*) FROM user_app_permissions WHERE user_id = ?1 AND server = ?2 AND app_id = ?3",
rusqlite::params![user_id, server, app_id],
|row| row.get(0),
)?;
Ok(count > 0)
}
}
fn hash_password(password: &str) -> Result<String> {
let salt = SaltString::generate(&mut OsRng);
let hash = Argon2::default()
.hash_password(password.as_bytes(), &salt)
.map_err(|e| anyhow::anyhow!("Failed to hash password: {e}"))?;
Ok(hash.to_string())
}
fn generate_session_token() -> String {
let mut bytes = [0u8; 32];
openssl::rand::rand_bytes(&mut bytes).expect("Failed to generate random bytes");
hex::encode(bytes)
}
fn generate_random_password() -> String {
let mut bytes = [0u8; 16];
openssl::rand::rand_bytes(&mut bytes).expect("Failed to generate random bytes");
hex::encode(bytes)
}
fn now_iso8601() -> String {
std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs()
.to_string()
}
fn future_iso8601(seconds_from_now: i64) -> String {
let now = std::time::SystemTime::now()
.duration_since(std::time::UNIX_EPOCH)
.unwrap()
.as_secs();
(now as i64 + seconds_from_now).to_string()
}
#[cfg(test)]
mod tests {
use super::*;
fn test_db() -> Db {
let conn = rusqlite::Connection::open_in_memory().unwrap();
let db = Db {
conn: Mutex::new(conn),
};
db.init().unwrap();
db
}
#[test]
fn test_create_and_get_user() {
let db = test_db();
let user = db.create_user("alice", "password123", false).unwrap();
assert_eq!(user.username, "alice");
assert!(!user.is_admin);
let fetched = db.get_user(&user.id).unwrap().unwrap();
assert_eq!(fetched.username, "alice");
assert_eq!(fetched.id, user.id);
}
#[test]
fn test_verify_correct_password() {
let db = test_db();
db.create_user("bob", "secret", false).unwrap();
let result = db.verify_password("bob", "secret").unwrap();
assert!(result.is_some());
assert_eq!(result.unwrap().username, "bob");
}
#[test]
fn test_verify_wrong_password() {
let db = test_db();
db.create_user("bob", "secret", false).unwrap();
let result = db.verify_password("bob", "wrong").unwrap();
assert!(result.is_none());
}
#[test]
fn test_verify_nonexistent_user() {
let db = test_db();
let result = db.verify_password("nobody", "pass").unwrap();
assert!(result.is_none());
}
#[test]
fn test_duplicate_username_rejected() {
let db = test_db();
db.create_user("alice", "pass1", false).unwrap();
let result = db.create_user("alice", "pass2", false);
assert!(result.is_err());
}
#[test]
fn test_list_users() {
let db = test_db();
db.create_user("charlie", "pass", false).unwrap();
db.create_user("alice", "pass", true).unwrap();
let users = db.list_users().unwrap();
assert_eq!(users.len(), 2);
assert_eq!(users[0].username, "alice"); // sorted
assert_eq!(users[1].username, "charlie");
}
#[test]
fn test_update_user_password() {
let db = test_db();
let user = db.create_user("dave", "oldpass", false).unwrap();
db.update_user(&user.id, Some("newpass"), None).unwrap();
assert!(db.verify_password("dave", "oldpass").unwrap().is_none());
assert!(db.verify_password("dave", "newpass").unwrap().is_some());
}
#[test]
fn test_update_user_admin_status() {
let db = test_db();
let user = db.create_user("eve", "pass", false).unwrap();
assert!(!user.is_admin);
db.update_user(&user.id, None, Some(true)).unwrap();
let updated = db.get_user(&user.id).unwrap().unwrap();
assert!(updated.is_admin);
}
#[test]
fn test_delete_user() {
let db = test_db();
let user = db.create_user("frank", "pass", false).unwrap();
assert!(db.delete_user(&user.id).unwrap());
assert!(db.get_user(&user.id).unwrap().is_none());
}
#[test]
fn test_delete_nonexistent_user() {
let db = test_db();
assert!(!db.delete_user("nonexistent-id").unwrap());
}
#[test]
fn test_create_and_validate_session() {
let db = test_db();
let user = db.create_user("grace", "pass", false).unwrap();
let token = db.create_session(&user.id, 3600).unwrap();
let validated = db.validate_session(&token).unwrap();
assert!(validated.is_some());
assert_eq!(validated.unwrap().username, "grace");
}
#[test]
fn test_expired_session_rejected() {
let db = test_db();
let user = db.create_user("heidi", "pass", false).unwrap();
// Create session that expired 10 seconds ago
let token = db.create_session(&user.id, -10).unwrap();
let validated = db.validate_session(&token).unwrap();
assert!(validated.is_none());
}
#[test]
fn test_invalid_token_rejected() {
let db = test_db();
let validated = db.validate_session("bogus-token").unwrap();
assert!(validated.is_none());
}
#[test]
fn test_delete_session() {
let db = test_db();
let user = db.create_user("ivan", "pass", false).unwrap();
let token = db.create_session(&user.id, 3600).unwrap();
assert!(db.delete_session(&token).unwrap());
assert!(db.validate_session(&token).unwrap().is_none());
}
#[test]
fn test_delete_user_cascades_sessions() {
let db = test_db();
let user = db.create_user("judy", "pass", false).unwrap();
let token = db.create_session(&user.id, 3600).unwrap();
db.delete_user(&user.id).unwrap();
assert!(db.validate_session(&token).unwrap().is_none());
}
#[test]
fn test_delete_user_cascades_permissions() {
let db = test_db();
let user = db.create_user("karl", "pass", false).unwrap();
db.set_permissions(
&user.id,
&[AppPermission {
server: "srv".to_string(),
app_id: 1,
}],
)
.unwrap();
db.delete_user(&user.id).unwrap();
// Permissions table should be empty for this user
let perms = db.get_permissions(&user.id).unwrap();
assert!(perms.is_empty());
}
#[test]
fn test_set_and_get_permissions() {
let db = test_db();
let user = db.create_user("laura", "pass", false).unwrap();
let perms = vec![
AppPermission {
server: "server1".to_string(),
app_id: 10,
},
AppPermission {
server: "server1".to_string(),
app_id: 20,
},
];
db.set_permissions(&user.id, &perms).unwrap();
let fetched = db.get_permissions(&user.id).unwrap();
assert_eq!(fetched.len(), 2);
}
#[test]
fn test_set_permissions_replaces_existing() {
let db = test_db();
let user = db.create_user("mike", "pass", false).unwrap();
db.set_permissions(
&user.id,
&[AppPermission {
server: "s1".to_string(),
app_id: 1,
}],
)
.unwrap();
db.set_permissions(
&user.id,
&[AppPermission {
server: "s2".to_string(),
app_id: 2,
}],
)
.unwrap();
let perms = db.get_permissions(&user.id).unwrap();
assert_eq!(perms.len(), 1);
assert_eq!(perms[0].server, "s2");
assert_eq!(perms[0].app_id, 2);
}
#[test]
fn test_check_app_permission_allowed() {
let db = test_db();
let user = db.create_user("nancy", "pass", false).unwrap();
db.set_permissions(
&user.id,
&[AppPermission {
server: "srv".to_string(),
app_id: 42,
}],
)
.unwrap();
assert!(db.check_app_permission(&user.id, "srv", 42).unwrap());
}
#[test]
fn test_check_app_permission_denied() {
let db = test_db();
let user = db.create_user("oscar", "pass", false).unwrap();
assert!(!db.check_app_permission(&user.id, "srv", 42).unwrap());
}
#[test]
fn test_check_app_permission_admin_bypass() {
let db = test_db();
let user = db.create_user("pat", "pass", true).unwrap();
// Admin has no explicit permissions but should pass
assert!(db.check_app_permission(&user.id, "srv", 42).unwrap());
}
#[test]
fn test_cleanup_expired_sessions() {
let db = test_db();
let user = db.create_user("quinn", "pass", false).unwrap();
let _expired = db.create_session(&user.id, -10).unwrap();
let valid = db.create_session(&user.id, 3600).unwrap();
let cleaned = db.cleanup_expired_sessions().unwrap();
assert_eq!(cleaned, 1);
// Valid session should still work
assert!(db.validate_session(&valid).unwrap().is_some());
}
#[test]
fn test_seed_admin_if_needed() {
let db = test_db();
// First call should create admin
let result = db.seed_admin_if_needed().unwrap();
assert!(result.is_some());
let (username, password) = result.unwrap();
assert_eq!(username, "admin");
assert!(!password.is_empty());
// Verify can login with generated password
let user = db.verify_password("admin", &password).unwrap().unwrap();
assert!(user.is_admin);
// Second call should be a no-op
let result = db.seed_admin_if_needed().unwrap();
assert!(result.is_none());
}
}
gamestream-webtransport-proxy/src/main.rs
+69 -8
View File
@@ -3,9 +3,11 @@ use salvo::logging::Logger;
use salvo::prelude::*; use salvo::prelude::*;
mod apps; mod apps;
mod auth;
mod backend; mod backend;
mod certs; mod certs;
mod common; mod common;
mod db;
mod gamestream; mod gamestream;
mod pair; mod pair;
mod proxy; mod proxy;
@@ -40,12 +42,70 @@ fn create_static_handler() -> impl Handler {
async fn run_backend(port: u16) -> Result<()> { async fn run_backend(port: u16) -> Result<()> {
let backend = backend::Backend::new(port)?; let backend = backend::Backend::new(port)?;
// Seed default admin user if no users exist
if let Some((username, password)) = backend.db.seed_admin_if_needed()? {
tracing::info!("Created default admin user: {username}");
println!("===========================================");
println!(" Default admin credentials:");
println!(" Username: {username}");
println!(" Password: {password}");
println!("===========================================");
}
// Clean up expired sessions on startup
if let Ok(cleaned) = backend.db.cleanup_expired_sessions() {
if cleaned > 0 {
tracing::info!("Cleaned up {cleaned} expired sessions");
}
}
let backend_arc = std::sync::Arc::new(backend); let backend_arc = std::sync::Arc::new(backend);
let auth_middleware = auth::SessionAuthMiddleware {
db: std::sync::Arc::new(
db::Db::open(
&directories::ProjectDirs::from("xyz", "ohea", "gamestream-webtransport-proxy")
.ok_or(anyhow!("Could not get project dirs"))?
.data_dir()
.join("auth.db"),
)?,
),
};
let router = Router::new() let router = Router::new()
.push(Router::with_path("api/pair").post(backend_arc.post_pair())) // Public auth routes
.push(Router::with_path("api/apps").get(backend_arc.get_apps())) .push(Router::with_path("api/auth/login").post(backend_arc.login()))
.push(Router::with_path("api/stream/start").post(backend_arc.post_stream_start())) // Authenticated routes
.push(
Router::with_path("api")
.hoop(auth_middleware)
.push(Router::with_path("auth/logout").post(backend_arc.logout()))
.push(Router::with_path("auth/me").get(backend_arc.me()))
.push(Router::with_path("pair").post(backend_arc.post_pair()))
.push(Router::with_path("apps").get(backend_arc.get_apps()))
.push(Router::with_path("stream/start").post(backend_arc.post_stream_start()))
// Admin-only routes
.push(
Router::with_path("admin")
.hoop(auth::AdminCheckMiddleware)
.push(
Router::with_path("users")
.get(backend_arc.admin_list_users())
.post(backend_arc.admin_create_user()),
)
.push(
Router::with_path("users/<id>")
.put(backend_arc.admin_update_user())
.delete(backend_arc.admin_delete_user()),
)
.push(
Router::with_path("users/<id>/permissions")
.get(backend_arc.admin_get_permissions())
.put(backend_arc.admin_set_permissions()),
),
),
)
.push(Router::with_path("{*path}").get(create_static_handler())); .push(Router::with_path("{*path}").get(create_static_handler()));
let doc = OpenApi::new("test api", "0.0.1").merge_router(&router); let doc = OpenApi::new("test api", "0.0.1").merge_router(&router);
let router = router let router = router
@@ -64,11 +124,9 @@ async fn run_backend(port: u16) -> Result<()> {
Ok(()) Ok(())
} }
async fn run_proxy(port: u16, stream_id: uuid::Uuid) -> Result<()> { async fn run_proxy(port: u16, stream_id: uuid::Uuid, stream_token: String) -> Result<()> {
let (config, cert_hash) = certs::get_webtransport_stream_config(stream_id)?; let (config, cert_hash) = certs::get_webtransport_stream_config(stream_id)?;
//let config = certs::get_http_stream_config()?; let proxy = proxy::Proxy::new(cert_hash, stream_token);
//let cert_hash = [0; 32];
let proxy = proxy::Proxy::new(cert_hash);
let proxy_arc = std::sync::Arc::new(proxy); let proxy_arc = std::sync::Arc::new(proxy);
let router = Router::new() let router = Router::new()
@@ -108,8 +166,11 @@ async fn main() -> anyhow::Result<()> {
.nth(3) .nth(3)
.ok_or(anyhow!("Cert ID argument missing"))?, .ok_or(anyhow!("Cert ID argument missing"))?,
)?; )?;
let stream_token = std::env::args()
.nth(4)
.ok_or(anyhow!("Stream token argument missing"))?;
run_proxy(port, stream_id).await run_proxy(port, stream_id, stream_token).await
} }
_ => Err(anyhow!("Unknown mode: {mode}")), _ => Err(anyhow!("Unknown mode: {mode}")),
} }
gamestream-webtransport-proxy/src/proxy/handler.rs
+12
View File
@@ -85,6 +85,18 @@ impl crate::proxy::Proxy {
description: "Could not start stream".to_string(), description: "Could not start stream".to_string(),
}); });
// Validate single-use stream token via the shared helper so this
// handler and its unit tests exercise the same code path.
let provided_token = req.query::<String>("token").unwrap_or_default();
if let Err(msg) = super::validate_stream_token(&self, &provided_token).await {
error!("Stream token validation failed: {msg}");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: msg,
});
}
info!("Stream token validated and consumed");
info!("WebTransport connection initiated"); info!("WebTransport connection initiated");
let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await let (wt_stream_send, wt_stream_recv, wt_datagram_send) = match setup_webtransport(req).await
{ {
gamestream-webtransport-proxy/src/proxy/mod.rs
+75 -3
View File
@@ -11,16 +11,16 @@ mod video;
pub struct Proxy { pub struct Proxy {
pub cert_hash: [u8; 32], pub cert_hash: [u8; 32],
//pub cert_hash: String,
pub stream: RwLock<Option<backend::Stream>>, pub stream: RwLock<Option<backend::Stream>>,
pub stream_token: RwLock<Option<String>>,
} }
impl Proxy { impl Proxy {
pub fn new(cert_hash: [u8; 32]) -> Self { pub fn new(cert_hash: [u8; 32], stream_token: String) -> Self {
//pub fn new(cert_hash: String) -> Self {
Proxy { Proxy {
stream: RwLock::new(None), stream: RwLock::new(None),
cert_hash, cert_hash,
stream_token: RwLock::new(Some(stream_token)),
} }
} }
} }
@@ -78,6 +78,22 @@ async fn proxy_main(
Ok(()) Ok(())
} }
/// Validate a provided token against the stored token. Consumes the token on success (single-use).
/// Returns Ok(()) if valid, Err with description if invalid or already consumed.
pub async fn validate_stream_token(proxy: &Proxy, provided: &str) -> std::result::Result<(), String> {
let mut token_guard = proxy.stream_token.write().await;
match token_guard.take() {
Some(expected) if expected == provided => Ok(()),
Some(_) => {
// Wrong token: still consumed by the `take()` above. Any validation
// attempt — correct or not — invalidates the token, so a wrong
// guess cannot be followed by a correct one.
Err("Invalid stream token".to_string())
}
None => Err("Stream token already used".to_string()),
}
}
async fn spawn_gamestream(stream: backend::Stream) -> Result<Channels> { async fn spawn_gamestream(stream: backend::Stream) -> Result<Channels> {
let (tx, rx) = tokio::sync::oneshot::channel(); let (tx, rx) = tokio::sync::oneshot::channel();
let (stop_tx, stop_rx) = tokio::sync::oneshot::channel::<()>(); let (stop_tx, stop_rx) = tokio::sync::oneshot::channel::<()>();
@@ -99,3 +115,59 @@ async fn spawn_gamestream(stream: backend::Stream) -> Result<Channels> {
.context("Could not get gamestream communication channels")?, .context("Could not get gamestream communication channels")?,
}) })
} }
#[cfg(test)]
mod tests {
use super::*;
fn make_proxy(token: &str) -> Proxy {
Proxy {
cert_hash: [0u8; 32],
stream: RwLock::new(None),
stream_token: RwLock::new(Some(token.to_string())),
}
}
#[tokio::test]
async fn test_valid_token_accepted() {
let proxy = make_proxy("abc123");
let result = validate_stream_token(&proxy, "abc123").await;
assert!(result.is_ok());
}
#[tokio::test]
async fn test_wrong_token_rejected() {
let proxy = make_proxy("abc123");
let result = validate_stream_token(&proxy, "wrong").await;
assert!(result.is_err());
assert_eq!(result.unwrap_err(), "Invalid stream token");
}
#[tokio::test]
async fn test_missing_token_rejected() {
let proxy = make_proxy("abc123");
let result = validate_stream_token(&proxy, "").await;
assert!(result.is_err());
}
#[tokio::test]
async fn test_token_consumed_after_use() {
let proxy = make_proxy("abc123");
let first = validate_stream_token(&proxy, "abc123").await;
assert!(first.is_ok());
let second = validate_stream_token(&proxy, "abc123").await;
assert!(second.is_err());
assert_eq!(second.unwrap_err(), "Stream token already used");
}
#[tokio::test]
async fn test_wrong_attempt_consumes_token() {
let proxy = make_proxy("abc123");
// Wrong token attempt should consume it
let _ = validate_stream_token(&proxy, "wrong").await;
// Correct token should also fail now
let result = validate_stream_token(&proxy, "abc123").await;
assert!(result.is_err());
}
}
gamestream-webtransport-proxy/src/stream.rs
+45 -2
View File
@@ -7,6 +7,7 @@ use serde::{Deserialize, Serialize};
use tracing::{debug, error, info}; use tracing::{debug, error, info};
use crate::{ use crate::{
auth,
common::{AppError, AppResult, get_url}, common::{AppError, AppResult, get_url},
proxy, responses, proxy, responses,
state::{GamestreamServer, StateReadAccess, StateReader}, state::{GamestreamServer, StateReadAccess, StateReader},
@@ -24,7 +25,7 @@ struct PostStreamStartParams {
struct PostStreamStartResponse { struct PostStreamStartResponse {
url: String, url: String,
cert_hash: [u8; 32], cert_hash: [u8; 32],
//cert_hash: String, stream_token: String,
} }
#[derive(Deserialize)] #[derive(Deserialize)]
@@ -81,12 +82,40 @@ impl crate::backend::Backend {
self: ::std::sync::Arc<Self>, self: ::std::sync::Arc<Self>,
body: salvo::oapi::extract::JsonBody<PostStreamStartParams>, body: salvo::oapi::extract::JsonBody<PostStreamStartParams>,
req: &mut Request, req: &mut Request,
depot: &mut Depot,
) -> AppResult<Json<PostStreamStartResponse>> { ) -> AppResult<Json<PostStreamStartResponse>> {
let standard_error = Err(crate::common::AppError { let standard_error = Err(crate::common::AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR, status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Could not start stream".to_string(), description: "Could not start stream".to_string(),
}); });
// Check app permission
let user = match auth::get_user_from_depot(depot) {
Some(u) => u.clone(),
None => {
error!("post_stream_start reached without authenticated user in depot");
return Err(AppError {
status_code: StatusCode::UNAUTHORIZED,
description: "Not authenticated".to_string(),
});
}
};
if !user.is_admin {
match self.db.check_app_permission(&user.id, &body.server, body.id as i64) {
Ok(true) => {}
Ok(false) => {
return Err(AppError {
status_code: StatusCode::FORBIDDEN,
description: "You do not have permission to access this application".to_string(),
});
}
Err(e) => {
error!("Permission check error: {e}");
return standard_error;
}
}
}
let reader = self.state.read().await; let reader = self.state.read().await;
let server = match get_server(&reader, &body.server) { let server = match get_server(&reader, &body.server) {
@@ -272,6 +301,19 @@ impl crate::backend::Backend {
let port = self.port + <u16>::try_from((*writer).len()).unwrap(); let port = self.port + <u16>::try_from((*writer).len()).unwrap();
// Generate single-use stream token for proxy authentication
let stream_token = {
let mut bytes = [0u8; 32];
openssl::rand::rand_bytes(&mut bytes).map_err(|e| {
error!("Failed to generate stream token: {e}");
AppError {
status_code: StatusCode::INTERNAL_SERVER_ERROR,
description: "Could not start stream".to_string(),
}
})?;
hex::encode(bytes)
};
// Spawn WebTransport proxy // Spawn WebTransport proxy
let binary_path = match std::env::current_exe() { let binary_path = match std::env::current_exe() {
Ok(b) => b, Ok(b) => b,
@@ -285,7 +327,7 @@ impl crate::backend::Backend {
stream_id, port stream_id, port
); );
match tokio::process::Command::new(binary_path) match tokio::process::Command::new(binary_path)
.args(["proxy", &port.to_string(), &stream_id.to_string()]) .args(["proxy", &port.to_string(), &stream_id.to_string(), &stream_token])
.spawn() .spawn()
{ {
Ok(_) => (), Ok(_) => (),
@@ -326,6 +368,7 @@ impl crate::backend::Backend {
let post_stream_response = PostStreamStartResponse { let post_stream_response = PostStreamStartResponse {
url: webtransport_url, url: webtransport_url,
cert_hash: setup_resp.cert_hash, cert_hash: setup_resp.cert_hash,
stream_token,
}; };
Ok(Json(post_stream_response)) Ok(Json(post_stream_response))