apps/go2rtc
1
0
Fork 0
mirror of https://github.com/AlexxIT/go2rtc.git synced 2026-04-22 15:47:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/260201-readonly' into beta

Browse Source 
# Conflicts:
#	README.md
#	www/index.html
This commit is contained in:
Sergey Krashevich
2026-03-10 23:58:57 +03:00
parent e59b17d77d bc7f9c0f79
commit 072cdd7c44
28 changed files with 550 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2
View File
@@ -462,6 +462,8 @@ api:
allow_paths: [/api, /api/streams, /api/webrtc, /api/frame.jpeg]
# enable auth for localhost (used together with username and password)
local_auth: true
# disable write actions in WebUI/API
read_only: true
exec:
# use only allowed exec paths
internal/api/api.go
+27
View File
@@ -32,6 +32,7 @@ func Init() {
TLSCert string `yaml:"tls_cert"`
TLSKey string `yaml:"tls_key"`
UnixListen string `yaml:"unix_listen"`
ReadOnly bool `yaml:"read_only"`
AllowPaths []string `yaml:"allow_paths"`
} `yaml:"api"`
@@ -50,6 +51,9 @@ func Init() {
allowPaths = cfg.Mod.AllowPaths
basePath = cfg.Mod.BasePath
log = app.GetLogger("api")
ReadOnly = cfg.Mod.ReadOnly
app.ConfigReadOnly = ReadOnly
app.Info["read_only"] = ReadOnly
initStatic(cfg.Mod.StaticDir)
@@ -149,6 +153,15 @@ const (
)
var Handler http.Handler
var ReadOnly bool
func IsReadOnly() bool {
return ReadOnly
}
func ReadOnlyError(w http.ResponseWriter) {
http.Error(w, "read-only", http.StatusForbidden)
}
// HandleFunc handle pattern with relative path:
// - "api/streams" => "{basepath}/api/streams"
@@ -251,6 +264,11 @@ func exitHandler(w http.ResponseWriter, r *http.Request) {
return
}
if IsReadOnly() {
ReadOnlyError(w)
return
}
s := r.URL.Query().Get("code")
code, err := strconv.Atoi(s)
@@ -269,6 +287,11 @@ func restartHandler(w http.ResponseWriter, r *http.Request) {
return
}
if IsReadOnly() {
ReadOnlyError(w)
return
}
path, err := os.Executable()
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -287,6 +310,10 @@ func logHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/jsonlines")
_, _ = app.MemoryLog.WriteTo(w)
case "DELETE":
if IsReadOnly() {
ReadOnlyError(w)
return
}
app.MemoryLog.Reset()
Response(w, "OK", "text/plain")
default:
internal/api/config.go
+4
View File
@@ -30,6 +30,10 @@ func configHandler(w http.ResponseWriter, r *http.Request) {
Response(w, data, "application/yaml")
case "POST", "PATCH":
if IsReadOnly() {
ReadOnlyError(w)
return
}
data, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
internal/api/config_readonly_test.go
+36
View File
@@ -0,0 +1,36 @@
package api
import (
"net/http"
"net/http/httptest"
"path/filepath"
"strings"
"testing"
"github.com/AlexxIT/go2rtc/internal/app"
"github.com/stretchr/testify/require"
)
func TestConfigHandlerReadOnly(t *testing.T) {
prevPath := app.ConfigPath
prevReadOnly := ReadOnly
t.Cleanup(func() {
app.ConfigPath = prevPath
ReadOnly = prevReadOnly
})
app.ConfigPath = filepath.Join(t.TempDir(), "config.yaml")
ReadOnly = true
for _, method := range []string{"POST", "PATCH"} {
t.Run(method, func(t *testing.T) {
req := httptest.NewRequest(method, "/api/config", strings.NewReader("log:\n level: info\n"))
w := httptest.NewRecorder()
configHandler(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
require.Contains(t, w.Body.String(), "read-only")
})
}
}
internal/app/config.go
+4
View File
@@ -20,11 +20,15 @@ func LoadConfig(v any) {
}
var configMu sync.Mutex
var ConfigReadOnly bool
func PatchConfig(path []string, value any) error {
if ConfigPath == "" {
return errors.New("config file disabled")
}
if ConfigReadOnly {
return errors.New("config is read-only")
}
configMu.Lock()
defer configMu.Unlock()
internal/app/config_readonly_test.go
+29
View File
@@ -0,0 +1,29 @@
package app
import (
"os"
"path/filepath"
"testing"
"github.com/stretchr/testify/require"
)
func TestPatchConfigReadOnly(t *testing.T) {
prevPath := ConfigPath
prevReadOnly := ConfigReadOnly
t.Cleanup(func() {
ConfigPath = prevPath
ConfigReadOnly = prevReadOnly
})
dir := t.TempDir()
path := filepath.Join(dir, "config.yaml")
require.NoError(t, os.WriteFile(path, []byte(""), 0644))
ConfigPath = path
ConfigReadOnly = true
err := PatchConfig([]string{"streams", "cam"}, "rtsp://example.com")
require.Error(t, err)
require.EqualError(t, err, "config is read-only")
}
internal/ffmpeg/api.go
+5
View File
@@ -4,6 +4,7 @@ import (
"net/http"
"strings"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/AlexxIT/go2rtc/internal/streams"
)
@@ -12,6 +13,10 @@ func apiFFmpeg(w http.ResponseWriter, r *http.Request) {
http.Error(w, "", http.StatusMethodNotAllowed)
return
}
if api.IsReadOnly() {
api.ReadOnlyError(w)
return
}
query := r.URL.Query()
dst := query.Get("dst")
internal/ffmpeg/api_readonly_test.go
+26
View File
@@ -0,0 +1,26 @@
package ffmpeg
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiFFmpegReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
req := httptest.NewRequest("POST", "/api/ffmpeg?dst=cam&text=hello", nil)
w := httptest.NewRecorder()
apiFFmpeg(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
}
internal/homekit/api.go
+4
View File
@@ -43,6 +43,10 @@ func apiDiscovery(w http.ResponseWriter, r *http.Request) {
}
func apiHomekit(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() && r.Method != "GET" {
api.ReadOnlyError(w)
return
}
if err := r.ParseForm(); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
internal/homekit/api_readonly_test.go
+37
View File
@@ -0,0 +1,37 @@
package homekit
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiHomekitReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
t.Run("POST blocked", func(t *testing.T) {
req := httptest.NewRequest("POST", "/api/homekit", nil)
w := httptest.NewRecorder()
apiHomekit(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
})
t.Run("GET allowed", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/homekit", nil)
w := httptest.NewRecorder()
apiHomekit(w, req)
require.Equal(t, http.StatusOK, w.Code)
})
}
internal/http/http.go
+8
View File
@@ -111,6 +111,14 @@ func handleTCP(rawURL string) (core.Producer, error) {
}
func apiStream(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() {
switch r.Method {
case "PUT", "PATCH", "POST", "DELETE":
api.ReadOnlyError(w)
return
}
}
dst := r.URL.Query().Get("dst")
stream := streams.Get(dst)
if stream == nil {
internal/http/http_readonly_test.go
+30
View File
@@ -0,0 +1,30 @@
package http
import (
stdhttp "net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiStreamReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
for _, method := range []string{"PUT", "PATCH", "POST", "DELETE"} {
t.Run(method, func(t *testing.T) {
req := httptest.NewRequest(method, "/api/stream?dst=test", nil)
w := httptest.NewRecorder()
apiStream(w, req)
require.Equal(t, stdhttp.StatusForbidden, w.Code)
})
}
}
internal/roborock/roborock.go
+4
View File
@@ -24,6 +24,10 @@ var Auth struct {
}
func apiHandle(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() && r.Method != "GET" {
api.ReadOnlyError(w)
return
}
switch r.Method {
case "GET":
if Auth.UserData == nil {
internal/roborock/roborock_readonly_test.go
+26
View File
@@ -0,0 +1,26 @@
package roborock
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiHandleReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
req := httptest.NewRequest("POST", "/api/roborock", nil)
w := httptest.NewRecorder()
apiHandle(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
}
internal/streams/api.go
+14
View File
@@ -12,6 +12,13 @@ import (
func apiStreams(w http.ResponseWriter, r *http.Request) {
w = creds.SecretResponse(w)
if api.IsReadOnly() {
switch r.Method {
case "PUT", "PATCH", "POST", "DELETE":
api.ReadOnlyError(w)
return
}
}
query := r.URL.Query()
src := query.Get("src")
@@ -130,6 +137,13 @@ func apiStreamsDOT(w http.ResponseWriter, r *http.Request) {
}
func apiPreload(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() {
switch r.Method {
case "PUT", "DELETE":
api.ReadOnlyError(w)
return
}
}
// GET - return all preloads
if r.Method == "GET" {
api.ResponseJSON(w, GetPreloads())
internal/streams/api_readonly_test.go
+68
View File
@@ -0,0 +1,68 @@
package streams
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiStreamsReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
for _, method := range []string{"PUT", "PATCH", "POST", "DELETE"} {
t.Run(method, func(t *testing.T) {
req := httptest.NewRequest(method, "/api/streams?src=test", nil)
w := httptest.NewRecorder()
apiStreams(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
})
}
t.Run("GET allowed", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/streams", nil)
w := httptest.NewRecorder()
apiStreams(w, req)
require.Equal(t, http.StatusOK, w.Code)
})
}
func TestApiPreloadReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
for _, method := range []string{"PUT", "DELETE"} {
t.Run(method, func(t *testing.T) {
req := httptest.NewRequest(method, "/api/preload?src=test", nil)
w := httptest.NewRecorder()
apiPreload(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
})
}
t.Run("GET allowed", func(t *testing.T) {
req := httptest.NewRequest("GET", "/api/preload", nil)
w := httptest.NewRecorder()
apiPreload(w, req)
require.Equal(t, http.StatusOK, w.Code)
})
}
internal/webrtc/server.go
+8
View File
@@ -21,6 +21,14 @@ const MimeSDP = "application/sdp"
var sessions = map[string]*webrtc.Conn{}
func syncHandler(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() {
switch r.Method {
case "POST", "PATCH", "DELETE":
api.ReadOnlyError(w)
return
}
}
switch r.Method {
case "POST":
query := r.URL.Query()
internal/webrtc/server_readonly_test.go
+30
View File
@@ -0,0 +1,30 @@
package webrtc
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestSyncHandlerReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
for _, method := range []string{"POST", "PATCH", "DELETE"} {
t.Run(method, func(t *testing.T) {
req := httptest.NewRequest(method, "/api/webrtc?dst=test", nil)
w := httptest.NewRecorder()
syncHandler(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
})
}
}
internal/wyze/wyze.go
+4
View File
@@ -59,6 +59,10 @@ func getCloud(email string) (*wyze.Cloud, error) {
}
func apiWyze(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() && r.Method != "GET" {
api.ReadOnlyError(w)
return
}
switch r.Method {
case "GET":
apiDeviceList(w, r)
internal/wyze/wyze_readonly_test.go
+26
View File
@@ -0,0 +1,26 @@
package wyze
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiWyzeReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
req := httptest.NewRequest("POST", "/api/wyze", nil)
w := httptest.NewRecorder()
apiWyze(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
}
internal/xiaomi/xiaomi.go
+4
View File
@@ -219,6 +219,10 @@ func wakeUpCamera(url *url.URL) error {
}
func apiXiaomi(w http.ResponseWriter, r *http.Request) {
if api.IsReadOnly() && r.Method != "GET" {
api.ReadOnlyError(w)
return
}
switch r.Method {
case "GET":
apiDeviceList(w, r)
internal/xiaomi/xiaomi_readonly_test.go
+26
View File
@@ -0,0 +1,26 @@
package xiaomi
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/AlexxIT/go2rtc/internal/api"
"github.com/stretchr/testify/require"
)
func TestApiXiaomiReadOnly(t *testing.T) {
prevReadOnly := api.ReadOnly
t.Cleanup(func() {
api.ReadOnly = prevReadOnly
})
api.ReadOnly = true
req := httptest.NewRequest("POST", "/api/xiaomi", nil)
w := httptest.NewRecorder()
apiXiaomi(w, req)
require.Equal(t, http.StatusForbidden, w.Code)
}
www/add.html
+17 -1
View File
@@ -52,8 +52,24 @@
drawTable(table, await r.json());
}
</script>
<script>
window.addEventListener('DOMContentLoaded', () => {
if (!window.go2rtcReady) return;
window.go2rtcReady.then(data => {
if (!data || !data.read_only) return;
const banner = document.getElementById('readonly-banner');
if (banner) banner.style.display = 'block';
document.querySelectorAll('main input, main select, main button, main textarea').forEach(el => {
el.disabled = true;
});
});
});
</script>
<main>
<div id="readonly-banner" style="display: none; padding: 10px; background: #ffe9e9; border: 1px solid #f0b4b4;">
Read-only mode: add actions are disabled.
</div>
<button id="stream">Temporary stream</button>
<div>
<form id="stream-form">
@@ -566,4 +582,4 @@
</main>
</body>
</html>
</html>
www/config.html
+46 -3
View File
@@ -1182,18 +1182,61 @@
let dump;
document.getElementById('save').addEventListener('click', async () => {
const saveButton = document.getElementById('save');
const readOnlyWarning = 'Enabling read_only: true cannot be reverted remotely. To disable it you must edit the config file on the server manually. Continue?';
const hasReadOnlyTrue = (text) => {
if (!text) return false;
return /(^|\n)\s*read_only\s*:\s*true\s*(#.*)?$/m.test(text);
};
const applyReadOnly = () => {
saveButton.disabled = true;
saveButton.title = 'Read-only mode';
editor.updateOptions({readOnly: true});
};
if (window.go2rtcReady) {
window.go2rtcReady.then(data => {
if (data && data.read_only) applyReadOnly();
});
}
saveButton.addEventListener('click', async () => {
let r = await fetch('api/config', {cache: 'no-cache'});
if (r.ok && dump !== await r.text()) {
alert('Config was changed from another place. Refresh the page and make changes again');
return;
}
r = await fetch('api/config', {method: 'POST', body: editor.getValue()});
const nextValue = editor.getValue();
if (hasReadOnlyTrue(nextValue) && !hasReadOnlyTrue(dump)) {
if (!confirm(readOnlyWarning)) return;
}
r = await fetch('api/config', {method: 'POST', body: nextValue});
if (r.ok) {
alert('OK');
dump = editor.getValue();
dump = nextValue;
await fetch('api/restart', {method: 'POST'});
// Poll server until it's back online before reloading
const waitForServer = async () => {
for (let i = 0; i < 20; i++) {
await new Promise(r => setTimeout(r, 500));
try {
const response = await fetch('api/config', {cache: 'no-cache'});
if (response.ok || response.status === 410) {
location.reload();
return;
}
} catch (e) {
// Server still down, continue polling
}
}
// Fallback: reload after 10 seconds even if server check fails
location.reload();
};
waitForServer();
} else {
alert(await r.text());
}
www/index.html
+24 -5
View File
@@ -47,11 +47,18 @@
</main>
<script>
const templates = [
let templates = [
'<a href="stream.html?src={name}">stream</a>',
'<a href="links.html?src={name}">links</a>',
'<a href="#" data-name="{name}">delete</a>',
];
let readOnly = false;
const applyReadOnly = (flag) => {
if (!flag || readOnly) return;
readOnly = true;
templates = templates.filter(link => link.indexOf('delete') < 0);
};
document.querySelector('.controls > button')
.addEventListener('click', () => {
@@ -263,6 +270,8 @@
function updateInfo() {
return fetch(infoURL, {cache: 'no-cache'}).then(r => r.json()).then(data => {
applyReadOnly(Boolean(data.read_only));
const cpuUsage = clampPercent(data.system?.cpu_usage);
const memUsed = toNumber(data.system?.mem_used);
const memTotal = toNumber(data.system?.mem_total);
@@ -287,11 +296,21 @@
});
}
updateInfo().then(isSupported => {
if (isSupported) startInfoUpdates();
});
const applyInfo = (data) => {
applyReadOnly(Boolean(data.read_only));
updateInfo().then(isSupported => {
if (isSupported) startInfoUpdates();
});
};
reload();
if (window.go2rtcReady) {
window.go2rtcReady.then(data => {
if (data) applyInfo(data);
});
} else {
const url = new URL('api', location.href);
fetch(url, {cache: 'no-cache'}).then(r => r.json()).then(data => applyInfo(data));
}
</script>
</body>
www/links.html
+15
View File
@@ -154,6 +154,21 @@ Telegram: rtmps://xxx-x.rtmp.t.me/s/xxxxxxxxxx:xxxxxxxxxxxxxxxxxxxxxx</pre>
fetch(url, {method: 'POST'});
});
</script>
<script>
const applyReadOnly = () => {
const ids = ['play-send', 'play-url', 'pub-send', 'pub-url'];
ids.forEach(id => {
const el = document.getElementById(id);
if (el) el.disabled = true;
});
};
if (window.go2rtcReady) {
window.go2rtcReady.then(data => {
if (data && data.read_only) applyReadOnly();
});
}
</script>
<div id="webrtc">
<h2>WebRTC Magic</h2>
www/main.js
+21
View File
@@ -136,3 +136,24 @@ document.body.innerHTML = `
</nav>
</header>
` + document.body.innerHTML;
window.go2rtcReady = (async () => {
try {
const url = new URL('api', location.href);
const r = await fetch(url, {cache: 'no-cache'});
if (!r.ok) return null;
const data = await r.json();
window.go2rtcInfo = data;
return data;
} catch (e) {
return null;
}
})();
window.go2rtcReady.then(data => {
if (!data || !data.read_only) return;
const links = document.querySelectorAll('nav a[href="add.html"], nav a[href="config.html"]');
links.forEach(link => {
link.style.display = 'none';
});
});
www/schema.json
+5
View File
@@ -68,6 +68,11 @@
"password": {
"type": "string"
},
"read_only": {
"description": "Disable write actions in WebUI/API",
"type": "boolean",
"default": false
},
"local_auth": {
"description": "Enable auth check for localhost requests",
"type": "boolean",