sjg/trx-rs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[feat](trx-frontend-http): allow unrestricted RX access when rx_passphrase not set

Browse Source 
When HTTP auth is enabled but rx_passphrase is not configured, allow
unauthenticated users to access read-only endpoints (status, events,
decode, audio) without authentication. This enables monitoring-only
access while protecting TX control with a passphrase.

Changes:
- AuthMiddleware: Skip auth check for read routes when rx_passphrase is None
- session_status: Grant rx role to unauthenticated users when no rx passphrase required

Use case: Set only control_passphrase to protect TX/PTT while allowing
anyone on the network to monitor the radio.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
This commit is contained in:
Stan Grams
2026-02-13 08:39:05 +01:00
parent e3deac2731
commit 20d08f6c7c
1 changed files with 32 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/trx-client/trx-frontend/trx-frontend-http/src/auth.rs
+32 -5
View File
@@ -360,13 +360,27 @@ pub async fn session_status(
} }
let session_id = extract_session_id(&req); let session_id = extract_session_id(&req);
let role = session_id if let Some(session_record) = session_id.and_then(|sid| auth_state.store.get(&sid)) {
.and_then(|sid| auth_state.store.get(&sid)) // User has valid session
.map(|r| r.role.as_str().to_string()); return Ok(HttpResponse::Ok().json(SessionStatus {
authenticated: true,
role: Some(session_record.role.as_str().to_string()),
}));
}
// No session - check if rx access is unrestricted
if auth_state.config.rx_passphrase.is_none() {
// No rx passphrase required - grant rx role to unauthenticated users
return Ok(HttpResponse::Ok().json(SessionStatus {
authenticated: false,
role: Some("rx".to_string()),
}));
}
// Auth required but no valid session
Ok(HttpResponse::Ok().json(SessionStatus { Ok(HttpResponse::Ok().json(SessionStatus {
authenticated: role.is_some(), authenticated: false,
role, role: None,
})) }))
} }
@@ -501,6 +515,19 @@ where
// Auth enabled - check role // Auth enabled - check role
let role = get_session_role(req.request(), &auth_state); let role = get_session_role(req.request(), &auth_state);
// If rx_passphrase is not set, allow unauthenticated read access
let allow_unrestricted_read = auth_state.config.rx_passphrase.is_none();
let is_read_route = access == RouteAccess::Read;
if is_read_route && allow_unrestricted_read {
// No rx authentication required - allow read access without role
let fut = self.service.call(req);
return Box::pin(async move {
let res = fut.await?;
Ok(res)
});
}
if !access.allows(role) { if !access.allows(role) {
// Access denied - return 401/403 // Access denied - return 401/403
return Box::pin(async move { return Box::pin(async move {