Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/admin/listclients with URL authentication returns 403 Forbidden Mountpoint in use #66

Open
TheRealMattLear opened this issue Aug 11, 2023 · 0 comments
Open

/admin/listclients with URL authentication returns 403 Forbidden Mountpoint in use #66

TheRealMattLear opened this issue Aug 11, 2023 · 0 comments

Comments

@TheRealMattLear
Copy link

TheRealMattLear commented Aug 11, 2023
edited
Loading

Normally the /admin/listclients?mountpoint=/stream URL is accessible by authenticating with the <source-password> (when not using Mountpoint Authentication. However when specifying <authentication type="url"> with the stream_auth option the end-point returns 403 Forbidden with "Mountpoint in use".

A similar issue has been created 3 years ago at xiph.org, however i've created this with more information.

This end-point is specifically used by RadioCaster (possibly other encoders) to present the listeners on the connected mount.

In our testing:

  • The header icecast-auth-user: 1 is purposely always returned regardless of provided username/password
  • Source client encoder connects and broadcasts successfully
  • Authentication with is always successful, even when returning icecast-auth-user: 0
  • On connect to /admin/listclients we can see through nginx logs and wireshark that the endpoint is being hit successfully and the correct header being sent back to icecast service

Example configuration where "Mountpoint in use" error is presented (auth.php always returning header icecast-auth-user: 1), even if using authentication of source:source-password

<icecast>
    <limits>
        ...
    </limits>

    <authentication>
        <source-password>source-password</source-password>
        <admin-user>admin</admin-user>
        <admin-password>admin-password</admin-password>
    </authentication>
    <mount>
      <mount-name>/stream</mount-name>
      <charset>UTF-8</charset>
      <bitrate>128</bitrate>
      <authentication type="url">
        <option name="stream_auth" value="http://localhost/auth.php"/>
      </authentication>
    </mount>
    ...
</icecast>

Example configuration that works successfully with source:source-password

<icecast>
    <limits>
        ...
    </limits>

    <authentication>
        <source-password>source-password</source-password>
        <admin-user>admin</admin-user>
        <admin-password>admin-password</admin-password>
    </authentication>
    <mount>
      <mount-name>/stream</mount-name>
      <charset>UTF-8</charset>
      <bitrate>128</bitrate>
    </mount>
    ...
</icecast>

Notably in the log files

Here is the error.log[5] when using URL auth:

[2023-08-11  04:09:33] DBUG admin/admin_handle_request Got command (listclients)
[2023-08-11  04:09:33] INFO auth/auth_stream_authenticate request source auth for "/stream"
[2023-08-11  04:09:33] DBUG auth/queue_auth_client ...refcount on auth_t /stream is now 2
[2023-08-11  04:09:33] INFO auth/queue_auth_client auth on /stream has 1 pending
[2023-08-11  04:09:33] DBUG auth/auth_run_thread 1 client(s) pending on /stream
[2023-08-11  04:09:33] DBUG stats/modify_node_event update global clients (2)
[2023-08-11  04:09:33] DBUG stats/modify_node_event update global connections (587)
[2023-08-11  04:09:33] DBUG stats/modify_node_event update global client_connections (563)
[2023-08-11  04:09:33] DBUG auth/auth_release ...refcount on auth_t /stream is now 1
[2023-08-11  04:09:33] DBUG auth/auth_postprocess_source on mountpoint /stream
[2023-08-11  04:09:33] DBUG fserve/fserve_add_client Adding client to file serving engine
[2023-08-11  04:09:33] DBUG fserve/fserve_add_pending fserve handler waking up
[2023-08-11  04:09:33] WARN connection/source_startup Mountpoint /stream in use

Is it something to do with auth.c auth_postprocess_source only checking for admin.cgi and /admin/metadata? Should it also be looking for /admin/listclients and then pass admin_handle_request(client,"/admin/listclients") or something?


/* Decide whether we need to start a source or just process a source
 * admin request.
 */
void auth_postprocess_source (auth_client *auth_user)
{
    client_t *client = auth_user->client;
    const char *mount = auth_user->mount;
    const char *req = httpp_getvar (client->parser, HTTPP_VAR_URI);

    auth_user->client = NULL;
    client->authenticated = 1;
    if (strcmp (req, "/admin.cgi") == 0 || strncmp ("/admin/metadata", req, 15) == 0)
    {
        ICECAST_LOG_DEBUG("metadata request (%s, %s)", req, mount);
        admin_handle_request (client, "/admin/metadata");
    }
    else
    {
        ICECAST_LOG_DEBUG("on mountpoint %s", mount);
        source_startup (client, mount, 0);
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TheRealMattLear