rustdesk-server

Author	SHA1	Message	Date
mike	d07e98e607	feat: M6 web client — view + control + audio in the dashboard Adds a TypeScript SPA embedded in hbbs that lets a logged-in admin click "Connect (web client)" on a Devices row and remote-control the peer from the browser, no desktop client install required. View, mouse/keyboard control, and host-audio playback all work end-to-end. Architecture ------------ Pure browser app, no server-side WS proxy: Browser ──ws://hbbs:21118── rendezvous (PunchHole + RequestRelay) │ └──ws://hbbr:21119──── relay (paired by uuid) │ └── peer (RustDesk desktop, any platform) Same wire path the desktop client takes via `Client::request_relay` and `Client::create_relay`. Browser-relay-only — no NAT punching, so we send nat_type=SYMMETRIC in PunchHoleRequest to make the peer skip the direct attempt and go straight to relay (initiate=true with a host-generated uuid that we then use for our own relay leg). The 5 wire steps: 1. PunchHoleRequest → harvests signed peer Ed25519 sign-pk + relay host + the peer's session uuid from RelayResponse 2. Verify the signed pk against /admin/connect's `id_ed25519.pub` 3. Open WS to hbbr:21119, send RequestRelay with that uuid 4. Read peer's Message{signed_id}, verify with peer_sign_pk, extract Curve25519 box pk; box-seal a fresh secretbox key under it; send Message{public_key} unencrypted 5. Secretbox-encrypted stream from here. Hash → LoginRequest → LoginResponse with PeerInfo. Mode = Legacy (Translate silently drops ControlKey/Unicode payloads on the host side). New Rust surface ---------------- - `admin_ui/connect.html` — SPA shell with `{{CUSTOM_CONFIG}}` placeholder - `src/api/admin/pages/connect.rs` — gates on AuthedUser, injects per-request config (rendezvous host, relay host, server pubkey, peer_id, admin name) into the `<script id="custom-config">` tag, serves bundle.{js,css} via include_bytes! - 3 routes added: GET /admin/connect/:peer_id and the two assets - Devices dropdown gains a sky-blue "Connect (web client)" link that opens in a new tab New TypeScript SPA (`web_client/`) ---------------------------------- Stack: pure DOM/TS, no React/Vue. Bundled by esbuild → `dist/bundle.{js,css}` which is committed (cargo build needs no Node toolchain). src/main.ts boot + password retry loop + receive dispatch src/crypto.ts tweetnacl wrapper (sign_open, box, secretbox) + @noble/hashes/sha2 (works on plain http; SubtleCrypto requires a secure context) src/proto/generated.{js,d.ts} pbjs static-module from libs/hbb_common/protos/{rendezvous,message}.proto src/transport/rendezvous.ts WS to hbbs; PunchHole + RequestRelay src/transport/relay.ts WS to hbbr; duplex frame transport src/transport/session.ts secure-handshake state machine + Hash/Login + 8-byte LE secretbox sequence counter (PRE-increment, send/recv independent — matches libs/hbb_common/src/tcp.rs:317-320) + preloginExtras stash for AudioFormat that arrives before LoginResponse src/decode/video.ts WebCodecs VideoDecoder (vp09.00.10.08 today; h264/h265/av1/vp8 codec strings ready for M6f) src/decode/audio.ts WebCodecs AudioDecoder (opus) → AudioContext; detects f32 vs f32-planar AudioData layout and deinterleaves when needed; gap-less scheduling via a sliding playhead src/ui/canvas.ts <canvas> with object-fit: contain letterbox; auto-resizes on resolution change; FPS counter src/input/mouse.ts MouseEvent → MouseEvent proto. Mask layout: (button << 3) \| type (0=move,1=down,2=up, 3=wheel). Letterbox-aware viewport→peer coord mapping. Right-click suppresses the browser context menu; left-click does NOT preventDefault (would block focus) src/input/keyboard.ts Window-level keydown/keyup → KeyEvent proto in Legacy mode. Special keys → ControlKey enum; printable → unicode codepoint (down only, host's process_unicode does a single key_click). Browser shortcuts allowlisted (Cmd-T/N/W/R, Tab) so the user keeps tab control. Ctrl+Alt+Del HUD button (host-side `send_sas` is `#[cfg(windows)]`; no-op on Mac/Linux hosts but present for parity) Bundle size: 529 KB raw / ~74 KB gzipped. Tree-shaken protobufjs + tweetnacl + @noble/hashes only. Deployment notes ---------------- - WebCodecs and SubtleCrypto are gated to "secure context" origins — HTTPS, or http://localhost. Plain http://lan-ip won't work. Open via http://localhost during dev, or terminate TLS in front of hbbs (Caddy / nginx / Traefik) for production access. - `--relay-servers <host>` on hbbs must point at a host where TCP/WS 21119 is reachable from end-user browsers. Wire-format gotchas this commit nails (each one was a session of bisecting) -------------------------------------------------------------------------- - Hash.salt / Hash.challenge are proto `string` fields used as raw UTF-8 bytes in the SHA-256 chain. NOT base64-decoded. `pwd_hash = SHA256(pwd_text \|\| salt_utf8)`, `resp = SHA256(pwd_hash \|\| challenge_utf8)`. - Translate keyboard mode silently drops Unicode + ControlKey payloads on the host (input_service.rs:2022 has `// Do not handle unicode for now.`). Only Seq + Chr work in Translate. Use Legacy (mode=0) for everything. - Browser is forced to relay path by sending nat_type=SYMMETRIC. The peer generates its OWN uuid in handle_punch_hole's symmetric branch; use that uuid (carried back in RelayResponse) for the relay leg, not a fresh one. - Misc{audio_format} fires from the host's audio_service first-snapshot BETWEEN add_connection and login_response, so it lands on the wire before our session.recv() loop is set up. Session.open() captures pre-login messages into preloginExtras for the caller to replay. - protobufjs static-module sets unpopulated oneof fields to JS `null`, not `undefined`. A `if (msg.cursor_id !== undefined)` cursor branch swallowed every other message type including Misc; switched to loose `!= null` comparison. - WebCodecs AudioDecoder for opus emits `f32` (interleaved) AudioData — must deinterleave into separate AudioBuffer channels before playback. - VideoDecoder/AudioDecoder/SubtleCrypto are SecureContext-only; need http://localhost or https:// on the page origin, not the WS targets. - libsodium-wrappers ESM ships a broken relative import (`./libsodium.mjs` in a sibling package); switched to tweetnacl which has no such problem. - WebCrypto's SubtleCrypto.digest() doesn't accept SharedArrayBuffer-backed Uint8Arrays in newer TS lib types; doesn't matter — we use @noble/hashes for sha256 anyway since Subtle is secure-context-only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-03 13:55:40 +02:00
mike	98b55e138e	feat(admin): OIDC sign-in, role sync, deploy/delete UX, and docs This commit lights up the missing pieces of the admin dashboard and the OIDC flow that the desktop client already speaks. It bundles several independent fixes that share enough touch points (oidc/callback, admin/mod, database schema) that splitting was more churn than help. OIDC — desktop client - /api/login: when TOTP is enrolled, return type:"email_check" + tfa_type:"tfa_check" instead of type:"tfa_check". The Flutter client's switch only branches on access_token / email_check; the prior shape silently fell into "bad response from server". - /api/login dispatcher: route the second leg to login_tfa_code when tfaCode + secret are both present, regardless of the declared type. The desktop client sends type:"email_code" for both email-code AND TOTP second legs and distinguishes by which field is set. - /api/oidc/auth-query: drop the bogus extra {"body": "..."} envelope. The desktop client's http_request_sync already wraps every response in {status_code, headers, body}, and HbbHttpResponse::parse expects the auth payload at that level. Our extra envelope made the parser fail silently as DataTypeFormat and the poll loop spun until the 180 s client timeout. - UserPayload: add a required info: {} field; the Rust-side polling deserializer at src/hbbs_http/account.rs expects it (no #[serde(default)]). Without it the AuthBody parse failed on every poll, producing the same forever-pending symptom as above. - Add an always-on info-level log line at the poll handler so this family of "client never advances" bugs is observable from hbbs.log. OIDC — admin dashboard - New unauthenticated entry points: GET /admin/oidc/providers JSON list for login.html GET /admin/login/oidc/:provider 302 → IdP authorization endpoint The session is marked admin-flow via a sentinel ("__admin_ui__") in client_id_str / client_uuid so the existing /oidc/callback can tell it apart from a desktop device flow. - /oidc/callback finishes admin sessions by setting the rd_admin_session cookie + 303 to /admin/. Non-admin users get a helpful error page instead of a session. - Admin-flow callbacks SKIP device_claim() so the dashboard sign-in no longer inserts a phantom "__admin_ui__" device row in device_sysinfo, and the token's peer_id / peer_uuid columns stay blank instead of carrying the sentinel. - admin_ui/login.html fetches the providers list on load and renders one button per enabled provider beneath the password form. OIDC — role-based admin sync - New per-provider config fields admin_role + roles_claim (in oidc.toml AND oidc_providers, via soft ALTER TABLE). When set, the callback evaluates the userinfo claim and forces users.is_admin accordingly on every login. Promotion AND demotion at the IdP propagate. Two claim shapes supported: - object key match (Zitadel: urn:zitadel:iam:org:project:roles -> { "admin": {...} }) - string-array contains (generic: roles -> ["admin","user"]) - user_upsert_oidc gains a desired_admin: Option<bool> arg so the same upsert path handles "leave admin alone" (desired_admin = None) and "force from IdP" (Some(bool)). Three unit tests cover both shapes plus the missing-claim case. Admin dashboard — Address books - Full CRUD for shared books from the dashboard: create, list shares, add/upgrade/remove a per-user share with read / read+write / full rules, delete the book. - Personal books also get a Delete action — confirms with a stronger message that the user's desktop client will recreate an empty personal book on next sync if it's still signed in (deletion is effectively "reset to empty", not "permanently revoked"). Use in combination with user-delete to fully revoke. - New DB methods: ab_create_shared, ab_delete (cascades peers/tags/ peer_tags/shares), ab_get_owner_kind, ab_list_shares, ab_share_set (idempotent upsert), ab_share_remove. Admin dashboard — Devices - Delete action in the per-row menu. device_delete cascades through device_sysinfo, peer (rendezvous identity), heartbeat_commands and peer-scoped strategy_assignments. Audit logs, recordings, and AB entries that reference the peer are intentionally preserved (historical/manual data). Admin dashboard — Deploy page - New page that generates the unsigned CustomServer blob the desktop client accepts via `rustdesk --config <blob>` (see rustdesk/src/custom_server.rs:get_custom_server_from_config_string; the unsigned-JSON path is a real codepath, no Pro signing key needed). Form prefills the public key from id_ed25519.pub in CWD. - Also emits the equivalent renamed-installer filename (rustdesk-host=...,key=... .exe). Strips api= from the filename when it equals the default http://<host>:21114 (Windows can't store : or / in filenames); warns when the API URL is non-default. Login form fixes - TOTP form field: rename serde wire field from tfa_code to tfaCode so the dashboard's HTMX form (input name="tfaCode") actually populates it. The previous mismatch silently dropped the code and the server kept asking for it. - TOTP redirect guard: only redirect on empty 2xx body (real login). The TOTP-required path returns 2xx with an HTML prompt fragment that must NOT be redirected away from. Docs - New docs/CONFIGURATION.md covering all CLI flags, OIDC setup (generic + Zitadel walk-through), role-based admin sync, TOTP, strategies, address books, dashboard URL map, DB notes, and a pre-prod security checklist. Schema - soft ALTER TABLE oidc_providers ADD COLUMN admin_role / roles_claim (guarded by the duplicate-column-name swallower for SQLite < 3.35). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-02 01:05:52 +02:00
mike	e183b386a1	fix(admin): show TOTP prompt instead of redirecting on 2fa-required login The login form's hx-on::after-request redirected to /admin/ on any 2xx response. The TOTP-required path also returns 2xx — with an HTML fragment that unhides the TFA section — so the redirect fired before the user ever saw the code input, locking out anyone who had enrolled TOTP. Only redirect when the 2xx body is empty (the real-login signal). When the body is non-empty it's the prompt fragment, which htmx swaps into #err and whose inline <script> reveals #tfa-section. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:37:49 +02:00
mike	5b288d671c	feat: M5 admin dashboard (HTMX + Tailwind CDN, embedded HTML) A web admin UI for the rustdesk-server, mounted at /admin/* on the existing HTTP API listener. Single-binary deploy preserved — the two HTML files live in admin_ui/ and are pulled into the binary via include_str! at build time, so there's nothing extra to ship. ================================================================================ Architecture ================================================================================ - Stack: HTMX 1.9 + Tailwind play CDN. No SPA, no Node toolchain. Pages are server-rendered HTML fragments returned by Rust handlers via Html<String>; the index.html shell uses hx-get to drop a fragment into the main pane and hx-push-url for back-button history. - Auth: same Bearer-token table the API uses. The dashboard log-in form POSTs username + password (+ optional TOTP) to /admin/login; on success the server mints a token and pins it in an HttpOnly + SameSite=Strict cookie (`rd_admin_session`). The AuthedUser extractor was extended to accept either the Authorization: Bearer header (curl, desktop client) OR the session cookie (browser). - Embedding: src/api/admin/mod.rs has `include_str!("../../../admin_ui/index.html")` + login.html. No tower_http::ServeDir wildcard — we ran into axum 0.5 routing conflicts between literal /admin/login routes and an /admin/* catch-all, so each HTML file is its own explicit route. ================================================================================ M5a — foundation ================================================================================ Files: admin_ui/index.html page shell + sidebar + HTMX + 401-bounces-to-login admin_ui/login.html credentials + TOTP form, posts to /admin/login src/api/admin/mod.rs router + include_str! + Cache-Control: no-cache src/api/admin/auth.rs /admin/login POST (form-encoded), /admin/logout POST src/api/admin/me.rs sidebar fragment ("Signed in as <name>") src/api/middleware.rs `AuthedUser` now reads either Bearer OR cookie src/api/state.rs `admin_ui_dir` (informational; UI is embedded) src/main.rs --admin-ui-dir flag (empty disables the dashboard) The login flow asks for TOTP transparently in the same form when the target user has a secret enrolled, so the dashboard inherits the TOTP gate from the API auth surface for free. ================================================================================ M5b — full CRUD pages ================================================================================ - Users (src/api/admin/pages/users.rs) — list, create, password reset, toggle admin / status, TOTP enroll / unenroll, delete. TOTP enroll surfaces the secret + otpauth URL once, on a dismissible banner above the table. - Devices (devices.rs) — list with hostname/OS/last-heartbeat/conn count, force-disconnect (queues `heartbeat_commands` row consumed at the next /api/heartbeat tick), force-sysinfo refresh. - Device groups (groups.rs) — list / create / delete / add member / remove member. Per-group section, with an add-member dropdown of users not yet in the group. - Strategies (strategies.rs) — list / create / edit config_options / delete. config_options is validated as a JSON object on the server side before persist; bad JSON is reflected to the page with a friendly error notice. - Address books (address_books.rs) — read-only overview of all books with owner, kind (personal / shared badge), peer count, GUID. - OIDC providers (oidc.rs) — read-only list of what's configured. Editing remains operator-side via --oidc-config TOML or direct SQL. ================================================================================ M5c — audit + recordings browsers ================================================================================ - Audit log (audit.rs) — three tabs (Connections / File transfers / Alarms), each capped at the latest 200 rows. Tab pills are HTMX links with hx-get + hx-target="#main" so the tab switch is a single fetch. - Recordings (recordings.rs) — read-only list with peer / size / state / start / finish. Streaming download is a follow-up; for now operators pull files from --recording-dir directly. ================================================================================ DB methods added ================================================================================ - Users: users_list_all, user_set_status, user_set_admin, user_set_password, user_delete, user_has_totp, raw_update_user_email - Devices: devices_list_all, device_sysinfo_get_conns, heartbeat_command_queue (also used elsewhere; surfaced) - Groups: device_groups_list_all, device_group_members, device_group_create, device_group_delete, device_group_add_member, device_group_remove_member - Strategy: strategies_list_all, strategy_create, strategy_update_config, strategy_delete - Audit: audit_conn_list, audit_file_list, audit_alarm_list - Misc: ab_list_all_with_owner, recordings_list All use the runtime sqlx::query("...") form (matching the project-wide convention) so the SQLite compile-time-check macros don't require these new tables to pre-exist in the dev DB. ================================================================================ Conventions enforced ================================================================================ - Every page handler gates on require_admin(&AuthedUser) — non-admin users get an HTTP 403 + JSON envelope, which the SPA shell catches and bounces back to the login form. - HTML fragments are produced via `format!`-with-named-args; html_escape is centralized in src/api/admin/pages/shared.rs and applied to every user-supplied string before it lands in the DOM. - All mutations return either the updated table fragment OR notice_html(kind, msg) + the table — same pattern across pages, so HTMX swap targets stay simple (always #region innerHTML). - Cookie carries no path restriction so it also authorizes /api/* calls the dashboard might want to make from the browser; HttpOnly + SameSite=Strict mitigates XSS / CSRF; Max-Age tracks ApiConfig's session_ttl_secs (30 days). ================================================================================ Verification ================================================================================ 1. cargo build --release — clean. 2. End-to-end smoke test: - /admin/ serves index.html (4406 bytes), /admin/login.html serves login.html (2598 bytes). - POST /admin/login with valid creds returns 200 + Set-Cookie `rd_admin_session=…; HttpOnly; Path=/; SameSite=Strict; Max-Age=…`. - All eight /admin/pages/* fragments return 200 with cookie. - Users CRUD round-trip: create alice → toggle admin → disable → reset password → enroll TOTP (32-char secret displayed once) → unenroll → delete; self-action guard rejects suicide deletes. - Groups CRUD: create engineering → add alice as member → SQL confirms the row. - Strategies: valid JSON accepted, invalid JSON rejected with a friendly notice. - Audit tabs: all three render 200; empty-state messages appear when no rows. - /admin/logout clears the cookie; subsequent /admin/me returns 401. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 20:13:35 +02:00

4 Commits