feat(mediaauth): playback authorization (token + IP/country/UA/referer chain) — B / S-13

[ntt0601zcoder]

Part B — media/playback auth plane

Open-Streamer had no playback access control: anyone reaching a stream URL could watch it, ?token= was recorded but never enforced, and a tokened SRT streamid failed to resolve (audit S-13). This adds a playback authorizer enforced on every delivery protocol.

Design — internal/mediaauth

A Flussonic-style chain (deny wins → allow-list gates → policy gate):

1. ClientIP / Country / User-Agent on a Deny list → reject
2. any non-empty Allow list the request misses (IP / country / UA) → reject
3. AllowedDomains set and the Referer host isn't covered → reject
4. effective policy == token and token missing/invalid → reject
5. else allow

Token = HMAC-SHA256, client-signed, server verify-only:
token = "<exp>.<base64url(HMAC(secret, "code|exp"))>" — constant-time compare, expiry- and stream-code-bound. Clients mint it with the shared secret via the documented mediaauth.SignToken format; no server mint endpoint (per request — server only verifies).

Wiring (authorize before any bytes/state)

• HTTP (HLS / DASH / MPEGTS / DVR) — dispatchMedia.mediaAllowed.
• RTMP / SRT / RTSP play — publisher.playAllowed.

Effective policy = per-stream Stream.PlaybackAuth (public/token, template-inherited) else global auth.media.default_policy; static rules (IP/country via the existing sessions GeoIP, UA, referer) are global. Disabled by default (no behaviour change). Fail-closed when token policy has no secret. Config auth.media.*, hot-reloaded (atomic snapshot). Per-stream policy resolves from the publisher's in-memory table for live streams (O(1), no store read on the hot path) and from the store for stopped-stream DVR archives.

Adversarial review → 2 real issues found & fixed

1. ABR renditions were authed under <code>/track_N → a token for <code> was rejected (broke transcoded/ABR token playback). Now keyed on the parent code.
2. Stopped-stream DVR archive policy downgraded to global default. Now resolved from the store so a token stream stays protected.
   Plus the SRT ?token= parse bug (srtStreamCode strips the query).

Caveats (separate findings, documented)

• IP/country rules trust r.RemoteAddr from RealIP/X-Forwarded-For → need a header-overwriting trusted proxy (S-15/S-17).
• RTMP play carries no token (IP/country still apply).
• Dynamic HTTP-callback (on_play) backend + per-stream rule overrides — planned follow-up.

Config

auth:
  media:
    enabled: true
    default_policy: token        # public | token
    token_secret: "<shared-secret>"
    deny_countries: ["CN"]
    allow_ips: ["10.0.0.0/8"]
    allowed_domains: ["example.com"]

Per-stream override: playback_auth: public|token on the stream/template.

Test

internal/mediaauth suite (deny/allow per dimension; token sign/verify/expiry/tamper/cross-stream; per-stream override; fail-closed; hot-reload), TestStripABRTrackSlug. go test -race ./internal/mediaauth/ ./internal/publisher/ ./internal/api/... green, golangci-lint 0 issues, full go build ./... green.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 56.57371% with 109 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
internal/publisher/playauth.go	0.00%	26 Missing ⚠️
cmd/server/main.go	0.00%	25 Missing ⚠️
internal/api/dispatch.go	40.62%	19 Missing ⚠️
internal/mediaauth/mediaauth.go	92.08%	7 Missing and 4 partials ⚠️
internal/publisher/serve_rtsp.go	0.00%	9 Missing ⚠️
internal/publisher/serve_srt.go	0.00%	7 Missing and 1 partial ⚠️
internal/runtime/manager.go	0.00%	5 Missing ⚠️
internal/domain/template.go	0.00%	1 Missing and 1 partial ⚠️
internal/publisher/serve_rtmp.go	0.00%	2 Missing ⚠️
internal/api/server.go	0.00%	1 Missing ⚠️
... and 1 more

📢 Thoughts on this report? Let us know!