feat(server): HMAC stream token auth path (UPnP slice 1/6)
Adds SignStreamToken / VerifyStreamToken (HMAC-SHA256 over trackID|exp) and modifies handleGetStream to accept either the existing session cookie OR a valid signed token. Stream route moved out of the authed group so the handler's own auth check runs and the token bypass is reachable. Enables Sonos / UPnP speakers to fetch the stream URL without carrying the user's session cookie - they cannot. The token is short-lived (max 24h per the design); expiry checked at request time only, not per-byte, so long tracks play through. streamSecret field on handlers is nil for now; Task 2 wires the loader (env var with auto-generated fallback persisted in app_preferences). Adds auth.OptionalUser - the permissive sibling of RequireUser that attaches the user to context when a valid cookie / bearer is present but does NOT 401 on absence. The stream route is wrapped with it so the handler can fall through to the token path when no session is present. newLibraryRouter (test fixture) gets a synthetic-user middleware on the stream route so existing media_test tests keep passing without seeding a real session row - production traffic uses auth.OptionalUser, the test path uses auth.UserCtxKeyForTest(). Five tests cover round-trip, tampered token rejection, expiry, wrong-track-ID, and wrong-secret rejection. CI verifies.
This commit is contained in:
@@ -11,9 +11,11 @@ import (
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/apierror"
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/auth"
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/coverart"
|
||||
"git.fabledsword.com/bvandeusen/minstrel/internal/db/dbq"
|
||||
)
|
||||
@@ -121,15 +123,55 @@ func (h *handlers) handleGetCover(w http.ResponseWriter, r *http.Request) {
|
||||
http.ServeContent(w, r, filepath.Base(path), info.ModTime(), f)
|
||||
}
|
||||
|
||||
// streamAuthOk returns true if the request is authorized to fetch the
|
||||
// stream — either via the standard session path (cookie OR bearer token
|
||||
// resolved to a user-in-context by auth.OptionalUser, the middleware
|
||||
// the route is wrapped with in api.go) OR via a valid short-lived HMAC
|
||||
// token in the ?token=&exp= query (UPnP / Sonos path, new for the
|
||||
// output-picker UPnP slice).
|
||||
//
|
||||
// The token path lets network speakers fetch the stream URL without
|
||||
// carrying the user's session cookie — they cannot. See the design at
|
||||
// docs/superpowers/specs/2026-06-03-android-output-picker-upnp-design.md.
|
||||
//
|
||||
// When h.streamSecret is nil (slice-1 default, until slice 2 wires the
|
||||
// loader), the token path always rejects because the HMAC of an empty
|
||||
// key won't match any token a client could mint. The session path keeps
|
||||
// working.
|
||||
func (h *handlers) streamAuthOk(r *http.Request, trackID string) bool {
|
||||
if _, ok := auth.UserFromContext(r.Context()); ok {
|
||||
return true
|
||||
}
|
||||
tok := r.URL.Query().Get("token")
|
||||
expStr := r.URL.Query().Get("exp")
|
||||
if tok == "" || expStr == "" {
|
||||
return false
|
||||
}
|
||||
exp, err := strconv.ParseInt(expStr, 10, 64)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
return VerifyStreamToken(h.streamSecret, trackID, exp, tok)
|
||||
}
|
||||
|
||||
// handleGetStream implements GET /api/tracks/{id}/stream. Opens the file on
|
||||
// disk and delegates byte-serving to http.ServeContent, which handles Range,
|
||||
// If-Modified-Since, and ETag based on the file's mod time.
|
||||
//
|
||||
// The route lives outside the authed.Group so this handler can accept
|
||||
// EITHER a session-resolved user (attached by auth.OptionalUser, the
|
||||
// permissive middleware the route is wrapped with) OR a signed token
|
||||
// (UPnP slice). streamAuthOk gates both paths.
|
||||
func (h *handlers) handleGetStream(w http.ResponseWriter, r *http.Request) {
|
||||
track, apiErr := resolveByID(r, "id", dbq.New(h.pool).GetTrackByID, "track")
|
||||
if apiErr != nil {
|
||||
writeErr(w, apiErr)
|
||||
return
|
||||
}
|
||||
if !h.streamAuthOk(r, uuidToString(track.ID)) {
|
||||
writeErr(w, apierror.ErrUnauthorized)
|
||||
return
|
||||
}
|
||||
f, err := os.Open(track.FilePath)
|
||||
if err != nil {
|
||||
// File vanished (scanner indexed it, filesystem lost it). Treat as
|
||||
|
||||
Reference in New Issue
Block a user