log authentication errors of API, metrics, pprof (#4641) (#5015)

2025-12-20 02:00:05 -08:00 · 2025-09-23 09:51:22 +02:00 · 2025-09-23 09:51:22 +02:00 · 5240bcb8ff
commit 5240bcb8ff
parent e05246d5ae
9 changed files with 307 additions and 66 deletions
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@ -3,6 +3,7 @@ package api
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@ -18,9 +19,14 @@ import (
 	"github.com/stretchr/testify/require"
 )

-type testParent struct{}
+type testParent struct {
+	log func(_ logger.Level, _ string, _ ...interface{})
+}

-func (testParent) Log(_ logger.Level, _ string, _ ...interface{}) {
+func (p testParent) Log(l logger.Level, s string, a ...interface{}) {
+	if p.log != nil {
+		p.log(l, s, a...)
+	}
 }

 func (testParent) APIConfigSet(_ *conf.Conf) {}
@ -113,13 +119,22 @@ func TestPreflightRequest(t *testing.T) {

 func TestConfigGlobalGet(t *testing.T) {
 	cnf := tempConf(t, "api: yes\n")
+	checked := false

 	api := API{
 		Address:     "localhost:9997",
 		ReadTimeout: conf.Duration(10 * time.Second),
 		Conf:        cnf,
-		AuthManager: test.NilAuthManager,
-		Parent:      &testParent{},
+		AuthManager: &test.AuthManager{
+			AuthenticateImpl: func(req *auth.Request) *auth.Error {
+				require.Equal(t, conf.AuthActionAPI, req.Action)
+				require.Equal(t, "myuser", req.Credentials.User)
+				require.Equal(t, "mypass", req.Credentials.Pass)
+				checked = true
+				return nil
+			},
+		},
+		Parent: &testParent{},
 	}
 	err := api.Initialize()
 	require.NoError(t, err)
@ -130,8 +145,10 @@ func TestConfigGlobalGet(t *testing.T) {
 	hc := &http.Client{Transport: tr}

 	var out map[string]interface{}
-	httpRequest(t, hc, http.MethodGet, "http://localhost:9997/v3/config/global/get", nil, &out)
+	httpRequest(t, hc, http.MethodGet, "http://myuser:mypass@localhost:9997/v3/config/global/get", nil, &out)
 	require.Equal(t, true, out["api"])
+
+	require.True(t, checked)
 }

 func TestConfigGlobalPatch(t *testing.T) {
@ -757,3 +774,54 @@ func TestAuthJWKSRefresh(t *testing.T) {

 	require.True(t, ok)
 }
+
+func TestAuthError(t *testing.T) {
+	cnf := tempConf(t, "api: yes\n")
+	n := 0
+
+	api := API{
+		Address:     "localhost:9997",
+		ReadTimeout: conf.Duration(10 * time.Second),
+		Conf:        cnf,
+		AuthManager: &test.AuthManager{
+			AuthenticateImpl: func(req *auth.Request) *auth.Error {
+				if req.Credentials.User == "" {
+					return &auth.Error{AskCredentials: true}
+				}
+				return &auth.Error{Wrapped: fmt.Errorf("auth error")}
+			},
+		},
+		Parent: &testParent{
+			log: func(l logger.Level, s string, i ...interface{}) {
+				if l == logger.Info {
+					if n == 1 {
+						require.Regexp(t, "failed to authenticate: auth error$", fmt.Sprintf(s, i...))
+					}
+					n++
+				}
+			},
+		},
+	}
+	err := api.Initialize()
+	require.NoError(t, err)
+	defer api.Close()
+
+	tr := &http.Transport{}
+	defer tr.CloseIdleConnections()
+	hc := &http.Client{Transport: tr}
+
+	res, err := hc.Get("http://localhost:9997/v3/config/global/get")
+	require.NoError(t, err)
+	defer res.Body.Close()
+
+	require.Equal(t, http.StatusUnauthorized, res.StatusCode)
+	require.Equal(t, `Basic realm="mediamtx"`, res.Header.Get("WWW-Authenticate"))
+
+	res, err = hc.Get("http://myuser:mypass@localhost:9997/v3/config/global/get")
+	require.NoError(t, err)
+	defer res.Body.Close()
+
+	require.Equal(t, http.StatusUnauthorized, res.StatusCode)
+
+	require.Equal(t, 2, n)
+}