basic auth credentials for api

[andrew-ld]

No description provided.

[codecov-commenter]

Codecov Report

Merging #1341 (8ef6398) into main (455b8be) will decrease coverage by 0.04%.
The diff coverage is 65.00%.

@@            Coverage Diff             @@
##             main    #1341      +/-   ##
==========================================
- Coverage   62.48%   62.44%   -0.05%     
==========================================
  Files         113      113              
  Lines       12020    12027       +7     
==========================================
- Hits         7511     7510       -1     
- Misses       3915     3921       +6     
- Partials      594      596       +2     

Impacted Files	Coverage Δ
internal/conf/conf.go	73.70% <ø> (ø)
internal/core/formatprocessor_h264.go	75.43% <ø> (ø)
internal/core/hls_muxer.go	54.30% <ø> (ø)
internal/core/rtmp_conn.go	63.40% <ø> (ø)
internal/core/rtmp_source.go	65.06% <ø> (-2.74%)	⬇️
internal/core/webrtc_conn.go	0.00% <ø> (ø)
internal/hls/client_processor_fmp4.go	65.89% <ø> (ø)
internal/hls/client_processor_mpegts.go	61.24% <ø> (ø)
internal/hls/fmp4/init.go	60.09% <ø> (ø)
internal/hls/fmp4/init_track.go	67.79% <ø> (ø)
... and 13 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[aler9]

Hello there are two possible ways to protect the API listener:

• not protecting the API at all, add a reverse proxy before it and let the reverse proxy handle the authentication.
• protecting the API, but i think that basic auth will not be enough for a lot of users that will ask for more advanced authentication techniques (separate credentials / JWT / external authentication)

We can certainly work towards the second approach, but keep in mind that handling security directly is not a "best practice" approach since there's a high risk of causing security issues. In my work i always try to avoid developing security components directly, i generally use a series of rugged security components (identity servers, gateways, WFAs, etc) and i put them before my services.

Anyway, we can certainly add a basic security layer to the server too, but i think that basic authentication will not be enough.

[andrew-ld]

having a simple level of protection like basic auth would be useful, it would avoid adding additional software such as reverse proxy and its maintenance will still remain almost zero cost since everything is implemented by gin

[eravellaSC]

If I may ask, is this PR going to be merged? I am working on a system with MediaMTX inside and this feature wuold be very much appreciated.

[aler9]

@eravellaSC i'm working on an authentication system that will support explicit credentials, external authentication or JWTs along the entire server, including paths and API.

In the meanwhile, in order to protect the API, you can use a reverse proxy.

[t3therdev]

Hi @aler9 any update on this.

[andrew-ld]

the implementation of jwt seems like something that takes a long time to be completed, many people simply want to block requests to the api via basic auth, this solution however remains very easy to maintain and solves many of the cases

[aler9]

replaced by #3081

[github-actions]

This issue is mentioned in release v1.6.0 🚀
Check out the entire changelog by clicking here