feat: Add support use own device authentication server

Signed-off-by: Jianhui Zhao <[email protected]>

README.md

@@ -39,6 +39,19 @@ Use token
 
     $ rttys run -t 34762d07637276694b938d23f10d7164
 
+### Use your own authentication server
+If the device authentication URL is configured, when the device connecting,
+rttys will initiate an authentication request to this URL, and the authentication
+server will return whether the authentication has been passed.
+
+Request data format:
+
+    {"devid":"test", "token":"34762d07637276694b938d23f10d7164"}
+
+Authentication Server Response Format:
+
+    {"auth": true}
+
 ### mTLS
 You can enable mTLS by specifying device CA storage (valid file) in config file or from CLI (variable ssl-cacert).
 Device(s) without valid CA in storage will be disconnected in TLS handshake.

README_ZH.md

@@ -39,6 +39,17 @@ golang and node 20+ is required
 
     $ rttys -t 34762d07637276694b938d23f10d7164
 
+### 使用自己的认证服务器
+如果配置了设备认证 url, 设备连接时, rttys 会向此 url 发起认证请求, 认证服务器返回是否通过认证.
+
+请求数据格式:
+
+    {"devid":"test", "token":"34762d07637276694b938d23f10d7164"}
+
+认证服务器响应格式:
+
+    {"auth": true}
+
 ### SSL 双向认证(mTLS)
 您可以在配置文件中指定设备 CA 存储(有效文件)或在 CLI 中指定设备 CA 存储(参数 ssl-cacert) 来启用 mTLS。
 存储中没有有效 CA 的设备将在 TLS 握手中断开连接。

broker.go

@@ -5,6 +5,8 @@ import (
 	"encoding/binary"
 	"fmt"
 	"io"
+	"net/http"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -62,6 +64,32 @@ func newBroker(cfg *config.Config) *broker {
 	}
 }
 
+func devAuth(cfg *config.Config, dev *device) bool {
+	if cfg.DevAuthUrl == "" {
+		return cfg.Token == "" || dev.token == cfg.Token
+	}
+
+	cli := &http.Client{
+		Timeout: 3 * time.Second,
+	}
+
+	data := fmt.Sprintf(`{"devid":"%s", "token":"%s"}`, dev.id, dev.token)
+	resp, err := cli.Post(cfg.DevAuthUrl, "application/json", strings.NewReader(data))
+	if err != nil {
+		log.Error().Msg("device auth fail:" + err.Error())
+		return false
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Error().Msg("device auth fail:" + err.Error())
+		return false
+	}
+
+	return jsoniter.Get(body, "auth").ToBool()
+}
+
 func (br *broker) run() {
 	for {
 		select {
@@ -81,7 +109,7 @@ func (br *broker) run() {
 					log.Error().Msg("Device ID conflicting: " + devid)
 					msg = "ID conflicting"
 					err = 1
-				} else if br.cfg.Token != "" && dev.token != br.cfg.Token {
+				} else if !devAuth(br.cfg, dev) {
 					log.Error().Msg("Invalid token from terminal device")
 					msg = "Invalid token"
 					err = 1

config/config.go

@@ -24,6 +24,7 @@ type Config struct {
 	WebUISslCert      string
 	WebUISslKey       string
 	Token             string
+	DevAuthUrl        string
 	WhiteList         map[string]bool
 	DB                string
 	LocalAuth         bool
@@ -61,6 +62,7 @@ func Parse(c *cli.Context) *Config {
 		WebUISslCert:      c.String("webui-ssl-cert"),
 		WebUISslKey:       c.String("webui-ssl-key"),
 		Token:             c.String("token"),
+		DevAuthUrl:        c.String("dev-auth-url"),
 		DB:                c.String("db"),
 		LocalAuth:         c.Bool("local-auth"),
 	}
@@ -96,6 +98,7 @@ func Parse(c *cli.Context) *Config {
 			cfg.WebUISslKey = cfg.SslKey
 		}
 		getConfigOpt(yamlCfg, "token", &cfg.Token)
+		getConfigOpt(yamlCfg, "dev-auth-url", &cfg.DevAuthUrl)
 		getConfigOpt(yamlCfg, "db", &cfg.DB)
 		getConfigOpt(yamlCfg, "local-auth", &cfg.LocalAuth)
 		val, err := yamlCfg.Get("white-list")

main.go

@@ -145,6 +145,11 @@ func main() {
 						Value:   "",
 						Usage:   "token to use",
 					},
+					&cli.StringFlag{
+						Name:  "dev-auth-url",
+						Value: "",
+						Usage: "using device auth url instead of token",
+					},
 					&cli.StringFlag{
 						Name:  "white-list",
 						Value: "",

rttys.conf

@@ -16,6 +16,7 @@
 #webui-ssl-key: /etc/rttys/webui-rttys.key
 
 #token: a1d4cdb1a3cd6a0e94aa3599afcddcf5
+#dev-auth-url: http://127.0.0.1:8080/rttys-dev-auth
 
 # No login required to connect device.
 # Values can be device IDs separated by spaces,