Skip to content

feat(auth): kick clients and publishers when auth token expires#5813

Open
thejoeejoee wants to merge 7 commits into
bluenviron:mainfrom
thejoeejoee:feat-jwt-auth-continuous-check
Open

feat(auth): kick clients and publishers when auth token expires#5813
thejoeejoee wants to merge 7 commits into
bluenviron:mainfrom
thejoeejoee:feat-jwt-auth-continuous-check

Conversation

@thejoeejoee

@thejoeejoee thejoeejoee commented May 29, 2026

Copy link
Copy Markdown

Periodic check of auth token expiration for connected readers and publishers. Expired clients are disconnected.

Generic naming allows future extension to external auth re-validation or JWKS re-fetch.

Closes #4300

@codecov

codecov Bot commented May 30, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 66.66667% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.73%. Comparing base (874b47d) to head (7886f3b).

Files with missing lines Patch % Lines
internal/core/path.go 45.83% 9 Missing and 4 partials ⚠️
internal/core/path_manager.go 66.66% 4 Missing and 2 partials ⚠️
internal/auth/manager.go 87.50% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5813      +/-   ##
==========================================
- Coverage   62.73%   62.73%   -0.01%     
==========================================
  Files         243      243              
  Lines       21176    21231      +55     
==========================================
+ Hits        13285    13319      +34     
- Misses       6764     6776      +12     
- Partials     1127     1136       +9     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@aler9

aler9 commented May 30, 2026

Copy link
Copy Markdown
Member

This is interesting, my architectural concern is that in this implementation, the component in charge of periodically checking the JWT is the path, while i would have preferred readers to do this check by themselves. But the drawback of moving this logic into readers is that you have to write a dedicated check in each reader type.

Furthermore, a thing that's missing is that publisher's JWTs must be checked too.

@thejoeejoee

Copy link
Copy Markdown
Author

This is interesting, my architectural concern is that in this implementation, the component in charge of periodically checking the JWT is the path, while i would have preferred readers to do this check by themselves. But the drawback of moving this logic into readers is that you have to write a dedicated check in each reader type.

Path felt like the right place since it already owns the lifecycle of both readers and publishers (add/remove/close) — avoids duplicating the ticker logic in each reader/publisher type. If you'd prefer it per-reader though, I could extract a shared helper to keep it DRY.

Furthermore, a thing that's missing is that publisher's JWTs must be checked too.

they're already checked here too, checkAuthExpiry() kicks both expired readers and the publisher:

https://github.com/thejoeejoee/mediamtx/blob/feat-jwt-auth-continuous-check/internal/core/path.go#L989-L995

@thejoeejoee thejoeejoee force-pushed the feat-jwt-auth-continuous-check branch from 813ed1a to 8210974 Compare May 30, 2026 18:01
@thejoeejoee thejoeejoee changed the title feat(auth): kick clients when auth token expires feat(auth): kick clients and publishers when auth token expires May 30, 2026
Periodic check of auth token expiration for connected readers and
publishers. Expired clients are disconnected. Configurable via
authCheckInterval (default 30s, 0 to disable).

Generic naming (authCheckInterval, AuthExpiry) allows future extension
to external auth re-validation or JWKS re-fetch.
@thejoeejoee thejoeejoee force-pushed the feat-jwt-auth-continuous-check branch from cbec46f to d8243c0 Compare May 30, 2026 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Kick clients when the JWT expires

2 participants