[fix](trx-client): pass HTTP auth config from TOML to server

The HTTP server was hardcoding auth config with enabled=false, ignoring the actual configuration from trx-client.toml. This prevented authentication enforcement even when enabled with passphrases. Solution: Store auth config values in FrontendRuntimeContext during initialization in main.rs, then extract and use them in server.rs build_server() instead of hardcoding. Fixes auth bypass where unauthenticated users could access the web UI. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stanislaw Grams <stanislawgrams@gmail.com>
2026-02-13 08:36:01 +01:00
parent 070409c280
commit e3deac2731
3 changed files with 49 additions and 9 deletions
@@ -159,6 +159,19 @@ async fn async_init() -> DynResult<AppState> {
        .cloned()
        .collect();

+    // Set HTTP frontend authentication config
+    frontend_runtime.http_auth_enabled = cfg.frontends.http.auth.enabled;
+    frontend_runtime.http_auth_rx_passphrase = cfg.frontends.http.auth.rx_passphrase.clone();
+    frontend_runtime.http_auth_control_passphrase = cfg.frontends.http.auth.control_passphrase.clone();
+    frontend_runtime.http_auth_tx_access_control_enabled = cfg.frontends.http.auth.tx_access_control_enabled;
+    frontend_runtime.http_auth_session_ttl_secs = cfg.frontends.http.auth.session_ttl_min * 60;
+    frontend_runtime.http_auth_cookie_secure = cfg.frontends.http.auth.cookie_secure;
+    frontend_runtime.http_auth_cookie_same_site = match cfg.frontends.http.auth.cookie_same_site {
+        config::CookieSameSite::Strict => "Strict".to_string(),
+        config::CookieSameSite::Lax => "Lax".to_string(),
+        config::CookieSameSite::None => "None".to_string(),
+    };
+
    // Resolve remote URL: CLI > config [remote] section > error
    let remote_url = cli
        .url
@@ -126,6 +126,20 @@ pub struct FrontendRuntimeContext {
    pub rigctl_listen_addr: Arc<Mutex<Option<SocketAddr>>>,
    /// Guard to avoid spawning duplicate decode collectors.
    pub decode_collector_started: AtomicBool,
+    /// HTTP frontend authentication configuration (enabled, passphrases, TTL, etc.)
+    pub http_auth_enabled: bool,
+    /// HTTP frontend auth rx passphrase
+    pub http_auth_rx_passphrase: Option<String>,
+    /// HTTP frontend auth control passphrase
+    pub http_auth_control_passphrase: Option<String>,
+    /// HTTP frontend auth tx access control enabled
+    pub http_auth_tx_access_control_enabled: bool,
+    /// HTTP frontend auth session TTL in seconds
+    pub http_auth_session_ttl_secs: u64,
+    /// HTTP frontend auth cookie secure flag
+    pub http_auth_cookie_secure: bool,
+    /// HTTP frontend auth cookie same-site policy
+    pub http_auth_cookie_same_site: String,
 }

 impl FrontendRuntimeContext {
@@ -144,6 +158,13 @@ impl FrontendRuntimeContext {
            rigctl_clients: Arc::new(AtomicUsize::new(0)),
            rigctl_listen_addr: Arc::new(Mutex::new(None)),
            decode_collector_started: AtomicBool::new(false),
+            http_auth_enabled: false,
+            http_auth_rx_passphrase: None,
+            http_auth_control_passphrase: None,
+            http_auth_tx_access_control_enabled: true,
+            http_auth_session_ttl_secs: 480 * 60,
+            http_auth_cookie_secure: false,
+            http_auth_cookie_same_site: "Lax".to_string(),
        }
    }
 }
@@ -78,18 +78,24 @@ fn build_server(
    let state_data = web::Data::new(state_rx);
    let rig_tx = web::Data::new(rig_tx);
    let clients = web::Data::new(Arc::new(AtomicUsize::new(0)));
-    let context_data = web::Data::new(context);

-    // Create authentication state (default: disabled)
+    // Extract auth config values before moving context
+    let same_site = match context.http_auth_cookie_same_site.as_str() {
+        "Strict" => SameSite::Strict,
+        "None" => SameSite::None,
+        _ => SameSite::Lax,  // default
+    };
    let auth_config = AuthConfig::new(
-        false,  // enabled - disabled by default
-        None,   // rx_passphrase
-        None,   // control_passphrase
-        true,   // tx_access_control_enabled
-        Duration::from_secs(480 * 60),  // session_ttl (480 minutes)
-        false,  // cookie_secure
-        SameSite::Lax,  // cookie_same_site
+        context.http_auth_enabled,
+        context.http_auth_rx_passphrase.clone(),
+        context.http_auth_control_passphrase.clone(),
+        context.http_auth_tx_access_control_enabled,
+        Duration::from_secs(context.http_auth_session_ttl_secs),
+        context.http_auth_cookie_secure,
+        same_site,
    );
+
+    let context_data = web::Data::new(context);
    let auth_state = web::Data::new(AuthState::new(auth_config.clone()));

    // Spawn session cleanup task if auth is enabled