257 lines
7.3 KiB
Go
257 lines
7.3 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"smoop-api/internal/config"
|
|
"smoop-api/internal/crypto"
|
|
"smoop-api/internal/dto"
|
|
"smoop-api/internal/models"
|
|
"strings"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
type MediaMTXHandler struct {
|
|
jwtMgr *crypto.JWTManager
|
|
db *gorm.DB
|
|
cfg config.MediaMTXConfig
|
|
}
|
|
|
|
func NewMediaMTXHandler(db *gorm.DB, jwt *crypto.JWTManager, c config.MediaMTXConfig) *MediaMTXHandler {
|
|
return &MediaMTXHandler{db: db, jwtMgr: jwt, cfg: c}
|
|
}
|
|
|
|
// --- 3.1 External auth endpoint called by MediaMTX
|
|
// POST /mediamtx/auth
|
|
func (h *MediaMTXHandler) Auth(c *gin.Context) {
|
|
var req dto.MediaMTXAuthReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": "bad auth body"})
|
|
return
|
|
}
|
|
|
|
// token can come from Authorization: Bearer or from query (?token=)
|
|
tok := extractBearer(c.GetHeader("Authorization"))
|
|
if tok == "" {
|
|
tok = tokenFromQuery(req.Query)
|
|
}
|
|
if tok == "" {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "missing token"})
|
|
return
|
|
}
|
|
|
|
// parse & validate media token
|
|
// parsed, err := h.jwtMgr.Parse(tok)
|
|
// if err != nil || !parsed.Valid {
|
|
// c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
|
|
// return
|
|
// }
|
|
// var mc dto.MediaClaims
|
|
// if err := jwt.MapClaims(parsed.Claims.(jwt.MapClaims)).Decode(&mc); err != nil {
|
|
// c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid claims"})
|
|
// return
|
|
// }
|
|
|
|
// // enforce act/path
|
|
// if mc.Act != req.Action {
|
|
// c.JSON(http.StatusForbidden, gin.H{"error": "action mismatch"})
|
|
// return
|
|
// }
|
|
// if mc.Path != req.Path {
|
|
// c.JSON(http.StatusForbidden, gin.H{"error": "path mismatch"})
|
|
// return
|
|
// }
|
|
|
|
// // Optional: permission checks by role/device
|
|
// // READ: admins can read anything; users only devices assigned
|
|
// // PUBLISH: allow devices (sub=0 or special) or admins
|
|
// switch req.Action {
|
|
// case "read":
|
|
// if !h.canRead(mc.Subject, req.Path) {
|
|
// c.JSON(http.StatusForbidden, gin.H{"error": "no read permission"})
|
|
// return
|
|
// }
|
|
// case "publish":
|
|
// if !h.canPublish(mc.Subject, req.Path) {
|
|
// c.JSON(http.StatusForbidden, gin.H{"error": "no publish permission"})
|
|
// return
|
|
// }
|
|
// }
|
|
|
|
// parse & validate media token
|
|
mc, err := h.jwtMgr.ParseMedia(tok)
|
|
if err != nil {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
|
|
return
|
|
}
|
|
|
|
// enforce act/path
|
|
if mc.Act != req.Action {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "action mismatch"})
|
|
return
|
|
}
|
|
if mc.Path != req.Path {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "path mismatch"})
|
|
return
|
|
}
|
|
|
|
sub := mc.Subject // from RegisteredClaims.Subject
|
|
switch req.Action {
|
|
case "read":
|
|
if !h.canRead(sub, req.Path) {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "no read permission"})
|
|
return
|
|
}
|
|
case "publish":
|
|
if !h.canPublish(sub, req.Path) {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "no publish permission"})
|
|
return
|
|
}
|
|
}
|
|
// allowed
|
|
c.Status(http.StatusOK)
|
|
}
|
|
|
|
func extractBearer(h string) string {
|
|
if strings.HasPrefix(strings.ToLower(h), "bearer ") {
|
|
return strings.TrimSpace(h[7:])
|
|
}
|
|
return ""
|
|
}
|
|
func tokenFromQuery(raw string) string {
|
|
if raw == "" {
|
|
return ""
|
|
}
|
|
q, _ := url.ParseQuery(raw)
|
|
return q.Get("token")
|
|
}
|
|
|
|
// naive helpers: replace with real queries to users/devices tables
|
|
func (h *MediaMTXHandler) canRead(sub, path string) bool {
|
|
// path is "live/<guid>"
|
|
parts := strings.SplitN(path, "/", 2)
|
|
if len(parts) != 2 {
|
|
return false
|
|
}
|
|
guid := parts[1]
|
|
|
|
// Find the user; admins -> allow; else check user_devices join
|
|
var u models.User
|
|
if err := h.db.Where("id = ?", sub).First(&u).Error; err == nil && u.Role == models.RoleAdmin {
|
|
return true
|
|
}
|
|
// check assignment
|
|
var count int64
|
|
_ = h.db.Table("user_devices").
|
|
Where("user_id = ? AND device_guid = ?", sub, guid).
|
|
Count(&count).Error
|
|
return count > 0
|
|
}
|
|
func (h *MediaMTXHandler) canPublish(sub, path string) bool {
|
|
// For devices you may use sub=0 or map to a device row; here: allow admins only
|
|
var u models.User
|
|
if err := h.db.Where("id = ?", sub).First(&u).Error; err == nil && u.Role == models.RoleAdmin {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// --- 3.2 Mint publish token (device flow) -> returns WHIP URL
|
|
// POST /mediamtx/token/publish {guid}
|
|
func (h *MediaMTXHandler) MintPublish(c *gin.Context) {
|
|
var req dto.PublishTokenReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"})
|
|
return
|
|
}
|
|
path := "live/" + req.GUID
|
|
tok, _ := h.jwtMgr.GenerateMediaToken(0, "publish", path, h.cfg.TokenTTL) // sub=0 (device)
|
|
whip := fmt.Sprintf("%s/whip/%s?token=%s", strings.TrimRight(h.cfg.WebRTCBaseURL, "/"), path, url.QueryEscape(tok))
|
|
c.JSON(http.StatusCreated, dto.PublishTokenResp{WHIP: whip})
|
|
}
|
|
|
|
// --- 3.3 Mint read token (user flow) -> returns HLS + WHEP URLs
|
|
// POST /mediamtx/token/read {guid}
|
|
func (h *MediaMTXHandler) MintRead(c *gin.Context) {
|
|
user, ok := GetUserContext(c)
|
|
if !ok {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
|
|
return
|
|
}
|
|
var req dto.ReadTokenReq
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": "bad request"})
|
|
return
|
|
}
|
|
path := "live/" + req.GUID
|
|
|
|
// check permission before minting
|
|
if user.Role != models.RoleAdmin {
|
|
var count int64
|
|
_ = h.db.Table("user_devices").
|
|
Where("user_id = ? AND device_guid = ?", user.ID, req.GUID).
|
|
Count(&count).Error
|
|
if count == 0 {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "not allowed for this device"})
|
|
return
|
|
}
|
|
}
|
|
|
|
tok, _ := h.jwtMgr.GenerateMediaToken(user.ID, "read", path, h.cfg.TokenTTL)
|
|
|
|
pub := strings.TrimRight(h.cfg.PublicBaseURL, "/")
|
|
resp := dto.ReadTokenResp{
|
|
HLS: fmt.Sprintf("%s/hls/%s/index.m3u8?token=%s", pub, path, url.QueryEscape(tok)),
|
|
WHEP: fmt.Sprintf("%s/webrtc/play/%s?token=%s", pub, path, url.QueryEscape(tok)),
|
|
}
|
|
c.JSON(http.StatusCreated, resp)
|
|
}
|
|
|
|
// --- 3.4 Admin "controls" using MediaMTX Control API (v3)
|
|
type pathsListRes struct {
|
|
Items []struct {
|
|
Name string `json:"name"`
|
|
} `json:"items"`
|
|
}
|
|
|
|
func (h *MediaMTXHandler) ListPaths(c *gin.Context) {
|
|
// GET {apiBase}/v3/paths/list
|
|
resp, err := http.Get(strings.TrimRight(h.cfg.APIBase, "/") + "/v3/paths/list")
|
|
if err != nil {
|
|
c.JSON(http.StatusBadGateway, gin.H{"error": "mtx api unreachable"})
|
|
return
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode != 200 {
|
|
c.JSON(resp.StatusCode, gin.H{"error": "mtx api error"})
|
|
return
|
|
}
|
|
var pl pathsListRes
|
|
if err := json.NewDecoder(resp.Body).Decode(&pl); err != nil {
|
|
c.JSON(http.StatusBadGateway, gin.H{"error": "decode error"})
|
|
return
|
|
}
|
|
c.JSON(200, pl)
|
|
}
|
|
|
|
func (h *MediaMTXHandler) KickWebRTC(c *gin.Context) {
|
|
// POST {apiBase}/v3/webrtcsessions/kick/{id}
|
|
id := c.Param("id")
|
|
reqURL := strings.TrimRight(h.cfg.APIBase, "/") + "/v3/webrtcsessions/kick/" + url.PathEscape(id)
|
|
httpResp, err := http.Post(reqURL, "application/json", http.NoBody)
|
|
if err != nil {
|
|
c.JSON(http.StatusBadGateway, gin.H{"error": "mtx api unreachable"})
|
|
return
|
|
}
|
|
defer httpResp.Body.Close()
|
|
if httpResp.StatusCode/100 != 2 {
|
|
c.JSON(httpResp.StatusCode, gin.H{"error": "kick failed"})
|
|
return
|
|
}
|
|
c.Status(http.StatusNoContent)
|
|
}
|