Normally the /admin/listclients?mountpoint=/stream URL is accessible by authenticating with the <source-password> (when not using Mountpoint Authentication. However when specifying <authentication type="url"> with the stream_auth option the end-point returns 403 Forbidden with "Mountpoint in use".
This end-point is specifically used by RadioCaster (possibly other encoders) to present the listeners on the connected mount.
In our testing:
The header icecast-auth-user: 1 is purposely always returned regardless of provided username/password
Source client encoder connects and broadcasts successfully
Authentication with is always successful, even when returning icecast-auth-user: 0
On connect to /admin/listclients we can see through nginx logs and wireshark that the endpoint is being hit successfully and the correct header being sent back to icecast service
Example configuration where "Mountpoint in use" error is presented (auth.php always returning header icecast-auth-user: 1), even if using authentication of source:source-password
[2023-08-11 04:09:33] DBUG admin/admin_handle_request Got command (listclients)
[2023-08-11 04:09:33] INFO auth/auth_stream_authenticate request source auth for "/stream"
[2023-08-11 04:09:33] DBUG auth/queue_auth_client ...refcount on auth_t /stream is now 2
[2023-08-11 04:09:33] INFO auth/queue_auth_client auth on /stream has 1 pending
[2023-08-11 04:09:33] DBUG auth/auth_run_thread 1 client(s) pending on /stream
[2023-08-11 04:09:33] DBUG stats/modify_node_event update global clients (2)
[2023-08-11 04:09:33] DBUG stats/modify_node_event update global connections (587)
[2023-08-11 04:09:33] DBUG stats/modify_node_event update global client_connections (563)
[2023-08-11 04:09:33] DBUG auth/auth_release ...refcount on auth_t /stream is now 1
[2023-08-11 04:09:33] DBUG auth/auth_postprocess_source on mountpoint /stream
[2023-08-11 04:09:33] DBUG fserve/fserve_add_client Adding client to file serving engine
[2023-08-11 04:09:33] DBUG fserve/fserve_add_pending fserve handler waking up
[2023-08-11 04:09:33] WARN connection/source_startup Mountpoint /stream in use
Is it something to do with auth.c auth_postprocess_source only checking for admin.cgi and /admin/metadata? Should it also be looking for /admin/listclients and then pass admin_handle_request(client,"/admin/listclients") or something?
/* Decide whether we need to start a source or just process a source
* admin request.
*/
void auth_postprocess_source (auth_client *auth_user)
{
client_t *client = auth_user->client;
const char *mount = auth_user->mount;
const char *req = httpp_getvar (client->parser, HTTPP_VAR_URI);
auth_user->client = NULL;
client->authenticated = 1;
if (strcmp (req, "/admin.cgi") == 0 || strncmp ("/admin/metadata", req, 15) == 0)
{
ICECAST_LOG_DEBUG("metadata request (%s, %s)", req, mount);
admin_handle_request (client, "/admin/metadata");
}
else
{
ICECAST_LOG_DEBUG("on mountpoint %s", mount);
source_startup (client, mount, 0);
}
}
Normally the /admin/listclients?mountpoint=/stream URL is accessible by authenticating with the
<source-password>(when not using Mountpoint Authentication. However when specifying<authentication type="url">with thestream_authoption the end-point returns403 Forbiddenwith "Mountpoint in use".A similar issue has been created 3 years ago at xiph.org, however i've created this with more information.
This end-point is specifically used by RadioCaster (possibly other encoders) to present the listeners on the connected mount.
In our testing:
icecast-auth-user: 1is purposely always returned regardless of provided username/passwordicecast-auth-user: 0Example configuration where "Mountpoint in use" error is presented (auth.php always returning header
icecast-auth-user: 1), even if using authentication ofsource:source-passwordExample configuration that works successfully with
source:source-passwordNotably in the log files
Here is the error.log[5] when using URL auth:
Is it something to do with auth.c
auth_postprocess_sourceonly checking for admin.cgi and /admin/metadata? Should it also be looking for /admin/listclients and then passadmin_handle_request(client,"/admin/listclients")or something?