search

Glimesh / broadcast-box

A broadcast, in a box.
MIT License
688 stars 57 forks source link

Limiting who can stream to an instance #140

Open SniperAsh6 opened 2 months ago

SniperAsh6 commented 2 months ago

Discussed with @Sean-Der on Discord so raising here to discuss further and welcome suggestions from others.

The ask was whether there's anything in place or that can be easily added to limit who can stream to an instance of Broadcast Box as presently if someone can connect to watch something they can also stream to it which could quite easily be abused.

One such idea was about adding a query parameter which is a token set, potentially, as an environment variable so that only when they match will the input stream be allowed. An alternative suggestion from Sean was of the possibility of using nginx and how it may have other advantages for serving static content too

mpisat commented 1 month ago

Webhooks would be much better. This way a custom backend in any language can authorize publish and view events easily.

Sean-Der commented 1 month ago

I agree. Would you be interested in helping start this @mpisat ?

Maybe you set a URL per instance. Then have a JSON body with event and other data

mpisat commented 1 month ago

I will try to implement something, test it, and if I'm satisfied with the result, I'll send a MR.

mpisat commented 1 month ago

I have this one https://github.com/mpisat/broadcast-box/pull/1

and provided a simple go backend to receive webhooks (and allow them)

root@sin:~/broadcast-box# ./broadcast-box 2024/07/15 23:59:12 Loading .env.production 2024/07/15 23:59:12 Running HTTP Server at :8080 2024/07/15 23:59:24 Starting webhook call to http://localhost:8081/webhook with timeout 0 ms 2024/07/15 23:59:24 Sending webhook request... 2024/07/15 23:59:24 Received webhook response with status code 200 after 3.658376ms

on Go mock backend side: 2024/07/15 23:59:24 Incoming webhook payload: { "action": "publish", "streamKey": "murat", "ip": "[2403:6200:8976:bf79:a123:b51a:3a33:2760]:64286", "bearerToken": "murat", "queryParams": {}, "userAgent": "Go-http-client/1.1" }

if it is set to deny 2024/07/16 00:02:27 Sending webhook request... 2024/07/16 00:02:27 Received webhook response with status code 403 after 1.083348ms 2024/07/16 00:02:27 Webhook denied access

you can be creative and provide queryparams to streamkey for view authorization, but it will require further code changes. for publishing, it is working out of the box.

I can send an MR if code quality is acceptable.