feat: Add support use own device authentication server

Signed-off-by: Jianhui Zhao <[email protected]>

README.md

@@ -6,7 +6,7 @@
 [4]: https://github.com/zhaojh329/rttys/pulls
 [5]: https://img.shields.io/badge/Issues-welcome-brightgreen.svg?style=plastic
 [6]: https://github.com/zhaojh329/rttys/issues/new
-[7]: https://img.shields.io/badge/release-4.1.5-blue.svg?style=plastic
+[7]: https://img.shields.io/badge/release-4.1.4-blue.svg?style=plastic
 [8]: https://github.com/zhaojh329/rttys/releases
 [9]: https://github.com/zhaojh329/rttys/workflows/build/badge.svg
 
@@ -39,6 +39,19 @@ Use token
 
     $ rttys run -t 34762d07637276694b938d23f10d7164
 
+### Use your own authentication server
+If the device authentication URL is configured, when the device connecting,
+rttys will initiate an authentication request to this URL, and the authentication
+server will return whether the authentication has been passed.
+
+HTTP Method: POST
+
+Request data format:
+    {"devid":"test", "token":"34762d07637276694b938d23f10d7164"}
+
+Authentication Server Response Format:
+    {"auth": true}
+
 ### mTLS
 You can enable mTLS by specifying device CA storage (valid file) in config file or from CLI (variable ssl-cacert).
 Device(s) without valid CA in storage will be disconnected in TLS handshake.
@@ -75,7 +88,7 @@ Quit from database console by exit.
 
 ## Docker
 
-    sudo docker run -it -p 5912:5912 -p 5913:5913 -p 5914:5914 zhaojh329/rttys:latest run --addr-http-proxy :5914
+    sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest
 
 ## Contributing
 If you would like to help making [rttys](https://github.com/zhaojh329/rttys) better,

README_ZH.md

@@ -6,7 +6,7 @@
 [4]: https://github.com/zhaojh329/rttys/pulls
 [5]: https://img.shields.io/badge/Issues-welcome-brightgreen.svg?style=plastic
 [6]: https://github.com/zhaojh329/rttys/issues/new
-[7]: https://img.shields.io/badge/release-4.1.5-blue.svg?style=plastic
+[7]: https://img.shields.io/badge/release-4.1.4-blue.svg?style=plastic
 [8]: https://github.com/zhaojh329/rttys/releases
 [9]: https://github.com/zhaojh329/rttys/workflows/build/badge.svg
 
@@ -37,7 +37,18 @@ golang and node 20+ is required
 
 使用 token
 
-    $rttys -t 34762d07637276694b938d23f10d7164
+    $ rttys -t 34762d07637276694b938d23f10d7164
+
+### 使用自己的认证服务器
+如果配置了设备认证 url, 设备连接时, rttys 会向此 url 发起认证请求, 认证服务器返回是否通过认证.
+
+请求方式: POST
+
+请求数据格式:
+    {"devid":"test", "token":"34762d07637276694b938d23f10d7164"}
+
+认证服务器响应格式:
+    {"auth": true}
 
 ### SSL 双向认证(mTLS)
 您可以在配置文件中指定设备 CA 存储(有效文件)或在 CLI 中指定设备 CA 存储(参数 ssl-cacert) 来启用 mTLS。
@@ -75,7 +86,7 @@ FLUSH PRIVILEGES;
 
 ## Docker
 
-    sudo docker run -it -p 5912:5912 -p 5913:5913 -p 5914:5914 zhaojh329/rttys:latest run --addr-http-proxy :5914
+    sudo docker run -it -p 5912:5912 -p 5913:5913 zhaojh329/rttys:latest
 
 ## 贡献代码
 如果你想帮助[rttys](https://github.com/zhaojh329/rttys)变得更好，请参考

broker.go

@@ -5,6 +5,8 @@ import (
 	"encoding/binary"
 	"fmt"
 	"io"
+	"net/http"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -62,6 +64,32 @@ func newBroker(cfg *config.Config) *broker {
 	}
 }
 
+func devAuth(cfg *config.Config, dev *device) bool {
+	if cfg.DevAuthUrl == "" {
+		return cfg.Token == "" || dev.token == cfg.Token
+	}
+
+	cli := &http.Client{
+		Timeout: 3 * time.Second,
+	}
+
+	data := fmt.Sprintf(`{"devid":"%s", "token":"%s"}`, dev.id, dev.token)
+	resp, err := cli.Post(cfg.DevAuthUrl, "application/json", strings.NewReader(data))
+	if err != nil {
+		log.Error().Msg("device auth fail:" + err.Error())
+		return false
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Error().Msg("device auth fail:" + err.Error())
+		return false
+	}
+
+	return jsoniter.Get(body, "auth").ToBool()
+}
+
 func (br *broker) run() {
 	for {
 		select {
@@ -81,7 +109,7 @@ func (br *broker) run() {
 					log.Error().Msg("Device ID conflicting: " + devid)
 					msg = "ID conflicting"
 					err = 1
-				} else if br.cfg.Token != "" && dev.token != br.cfg.Token {
+				} else if !devAuth(br.cfg, dev) {
 					log.Error().Msg("Invalid token from terminal device")
 					msg = "Invalid token"
 					err = 1

config/config.go

@@ -15,15 +15,16 @@ type Config struct {
 	AddrDev           string
 	AddrUser          string
 	AddrHttpProxy     string
-	DisableSignUp	   	  bool
+	DisableSignUp     bool
 	HttpProxyRedirURL string
 	HttpProxyPort     int
 	SslCert           string
 	SslKey            string
 	SslCacert         string // mTLS for device
-	WebUISslCert       string
-	WebUISslKey        string
+	WebUISslCert      string
+	WebUISslKey       string
 	Token             string
+	DevAuthUrl        string
 	WhiteList         map[string]bool
 	DB                string
 	LocalAuth         bool
@@ -52,7 +53,7 @@ func Parse(c *cli.Context) *Config {
 		AddrDev:           c.String("addr-dev"),
 		AddrUser:          c.String("addr-user"),
 		AddrHttpProxy:     c.String("addr-http-proxy"),
-		DisableSignUp:      c.Bool("disable-sign-up"),
+		DisableSignUp:     c.Bool("disable-sign-up"),
 		HttpProxyRedirURL: c.String("http-proxy-redir-url"),
 		SslCert:           c.String("ssl-cert"),
 		SslKey:            c.String("ssl-key"),
@@ -61,6 +62,7 @@ func Parse(c *cli.Context) *Config {
 		WebUISslCert:      c.String("webui-ssl-cert"),
 		WebUISslKey:       c.String("webui-ssl-key"),
 		Token:             c.String("token"),
+		DevAuthUrl:        c.String("dev-auth-url"),
 		DB:                c.String("db"),
 		LocalAuth:         c.Bool("local-auth"),
 	}
@@ -96,6 +98,7 @@ func Parse(c *cli.Context) *Config {
 			cfg.WebUISslKey = cfg.SslKey
 		}
 		getConfigOpt(yamlCfg, "token", &cfg.Token)
+		getConfigOpt(yamlCfg, "dev-auth-url", &cfg.DevAuthUrl)
 		getConfigOpt(yamlCfg, "db", &cfg.DB)
 		getConfigOpt(yamlCfg, "local-auth", &cfg.LocalAuth)
 		val, err := yamlCfg.Get("white-list")

main.go

@@ -145,6 +145,11 @@ func main() {
 						Value:   "",
 						Usage:   "token to use",
 					},
+					&cli.StringFlag{
+						Name:  "dev-auth-url",
+						Value: "",
+						Usage: "using device auth url instead of token",
+					},
 					&cli.StringFlag{
 						Name:  "white-list",
 						Value: "",

rttys.conf

@@ -16,6 +16,7 @@
 #webui-ssl-key: /etc/rttys/webui-rttys.key
 
 #token: a1d4cdb1a3cd6a0e94aa3599afcddcf5
+#dev-auth-url: http://127.0.0.1:8080/rttys-dev-auth
 
 # No login required to connect device.
 # Values can be device IDs separated by spaces,