feat(iroh-relay): allow to authenticate nodes via a HTTP POST request

Frando · Frando · commit 3ebafa09fd27 · 2025-03-26T11:49:46.000+01:00
diff --git a/iroh-relay/src/main.rs b/iroh-relay/src/main.rs
@@ -22,7 +22,7 @@ use iroh_relay::{
 use n0_future::FutureExt;
 use serde::{Deserialize, Serialize};
 use tokio_rustls_acme::{caches::DirCache, AcmeConfig};
-use tracing::debug;
+use tracing::{debug, warn};
 use tracing_subscriber::{prelude::*, EnvFilter};
 
 /// The default `http_bind_port` when using `--dev`.
@@ -181,6 +181,14 @@ enum AccessConfig {
     Allowlist(Vec<NodeId>),
     /// Allows everyone, except these nodes.
     Denylist(Vec<NodeId>),
+    /// Performs a HTTP POST request to determine access for each node that connects to the relay.
+    ///
+    /// The string value is used as the URL template, where `{node_id}` will be replaced
+    /// with the hex-encoded node id that is connecting.
+    ///
+    /// To grant access, the HTTP endpoint must return a `200` response with `true` as the response text.
+    /// In all other cases, the node will be denied accesss.
+    Http(String),
 }
 
 impl From<AccessConfig> for iroh_relay::server::AccessConfig {
@@ -215,10 +223,59 @@ impl From<AccessConfig> for iroh_relay::server::AccessConfig {
                     .boxed()
                 }))
             }
+            AccessConfig::Http(url_template) => {
+                let client = reqwest::Client::default();
+                let url_template = Arc::new(url_template);
+                iroh_relay::server::AccessConfig::Restricted(Box::new(move |node_id| {
+                    let client = client.clone();
+                    let url_template = url_template.clone();
+                    async move { http_access_check(&client, &url_template, node_id).await }.boxed()
+                }))
+            }
         }
     }
 }
 
+#[tracing::instrument("http-access-check", skip_all, fields(node_id=%node_id.fmt_short()))]
+async fn http_access_check(
+    client: &reqwest::Client,
+    url_template: &str,
+    node_id: NodeId,
+) -> iroh_relay::server::Access {
+    use iroh_relay::server::Access;
+    let url = url_template.replace("{node_id}", &node_id.to_string());
+    debug!(%url, "check relay access via HTTP POST");
+    let res = match client.post(&url).send().await {
+        Ok(t) => t,
+        Err(err) => {
+            warn!("request failed: {err}");
+            return Access::Deny;
+        }
+    };
+    if res.status().is_success() {
+        match res.text().await {
+            Err(err) => {
+                warn!("failed to read response: {err}");
+                Access::Deny
+            }
+            Ok(text) if text == "true" => {
+                debug!("request succesfull: grant access");
+                Access::Allow
+            }
+            Ok(_) => {
+                warn!("request succesfull but response text is not `true`: deny access");
+                Access::Deny
+            }
+        }
+    } else {
+        debug!(
+            "request returned non-success code {}: deny access",
+            res.status()
+        );
+        Access::Deny
+    }
+}
+
 impl Config {
     fn http_bind_addr(&self) -> SocketAddr {
         self.http_bind_addr
