[feat](trx-frontend-http): allow unrestricted RX access when rx_passphrase not set

When HTTP auth is enabled but rx_passphrase is not configured, allow unauthenticated users to access read-only endpoints (status, events, decode, audio) without authentication. This enables monitoring-only access while protecting TX control with a passphrase. Changes: - AuthMiddleware: Skip auth check for read routes when rx_passphrase is None - session_status: Grant rx role to unauthenticated users when no rx passphrase required Use case: Set only control_passphrase to protect TX/PTT while allowing anyone on the network to monitor the radio. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
2026-02-13 08:39:05 +01:00
parent e3deac2731
commit 20d08f6c7c
1 changed files with 32 additions and 5 deletions
@@ -360,13 +360,27 @@ pub async fn session_status(
    }

    let session_id = extract_session_id(&req);
-    let role = session_id
-        .and_then(|sid| auth_state.store.get(&sid))
-        .map(|r| r.role.as_str().to_string());
+    if let Some(session_record) = session_id.and_then(|sid| auth_state.store.get(&sid)) {
+        // User has valid session
+        return Ok(HttpResponse::Ok().json(SessionStatus {
+            authenticated: true,
+            role: Some(session_record.role.as_str().to_string()),
+        }));
+    }

+    // No session - check if rx access is unrestricted
+    if auth_state.config.rx_passphrase.is_none() {
+        // No rx passphrase required - grant rx role to unauthenticated users
+        return Ok(HttpResponse::Ok().json(SessionStatus {
+            authenticated: false,
+            role: Some("rx".to_string()),
+        }));
+    }
+
+    // Auth required but no valid session
    Ok(HttpResponse::Ok().json(SessionStatus {
-        authenticated: role.is_some(),
-        role,
+        authenticated: false,
+        role: None,
    }))
 }

@@ -501,6 +515,19 @@ where
            // Auth enabled - check role
            let role = get_session_role(req.request(), &auth_state);

+            // If rx_passphrase is not set, allow unauthenticated read access
+            let allow_unrestricted_read = auth_state.config.rx_passphrase.is_none();
+            let is_read_route = access == RouteAccess::Read;
+
+            if is_read_route && allow_unrestricted_read {
+                // No rx authentication required - allow read access without role
+                let fut = self.service.call(req);
+                return Box::pin(async move {
+                    let res = fut.await?;
+                    Ok(res)
+                });
+            }
+
            if !access.allows(role) {
                // Access denied - return 401/403
                return Box::pin(async move {