From 261a936bb84a0e3ec82e94cb87c029a3edd0364d Mon Sep 17 00:00:00 2001
From: Xiaokui Shu <subbyte@gmail.com>
Date: Wed, 25 Dec 2024 17:09:23 -0500
Subject: [PATCH 1/3] Add rtsp server failed auth logging

---
 internal/rtsp/rtsp.go |  6 +++++-
 pkg/rtsp/server.go    | 10 +++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/internal/rtsp/rtsp.go b/internal/rtsp/rtsp.go
index 0fe135f8..0777219d 100644
--- a/internal/rtsp/rtsp.go
+++ b/internal/rtsp/rtsp.go
@@ -1,6 +1,7 @@
 package rtsp
 
 import (
+	"fmt"
 	"io"
 	"net"
 	"net/url"
@@ -237,7 +238,10 @@ func tcpHandler(conn *rtsp.Conn) {
 	})
 
 	if err := conn.Accept(); err != nil {
-		if err != io.EOF {
+		if err == rtsp.FailedAuth {
+			rAddr := conn.Connection.RemoteAddr
+			log.Warn().Msg(fmt.Sprintf("[rtsp] failed authentication from %s", rAddr))
+		} else if err != io.EOF {
 			log.WithLevel(level).Err(err).Caller().Send()
 		}
 		if closer != nil {
diff --git a/pkg/rtsp/server.go b/pkg/rtsp/server.go
index c96125a2..9527e155 100644
--- a/pkg/rtsp/server.go
+++ b/pkg/rtsp/server.go
@@ -13,6 +13,8 @@ import (
 	"github.com/AlexxIT/go2rtc/pkg/tcp"
 )
 
+var FailedAuth = errors.New("failed authentication")
+
 func NewServer(conn net.Conn) *Conn {
 	return &Conn{
 		Connection: core.Connection{
@@ -54,7 +56,13 @@ func (c *Conn) Accept() error {
 			if err = c.WriteResponse(res); err != nil {
 				return err
 			}
-			continue
+			if req.Header.Get("Authorization") != "" {
+				// eliminate false positive: ffmpeg sends first request without
+				// authorization header even if the user provides credentials
+				return FailedAuth
+			} else {
+				continue
+			}
 		}
 
 		// Receiver: OPTIONS > DESCRIBE > SETUP... > PLAY > TEARDOWN

From 9e673559c4e725628613dfd831e4fc08d09906e1 Mon Sep 17 00:00:00 2001
From: Xiaokui Shu <subbyte@gmail.com>
Date: Wed, 8 Jan 2025 21:31:37 -0500
Subject: [PATCH 2/3] Improve log formatting with Msgf

---
 internal/rtsp/rtsp.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/internal/rtsp/rtsp.go b/internal/rtsp/rtsp.go
index 0777219d..2e1d04e8 100644
--- a/internal/rtsp/rtsp.go
+++ b/internal/rtsp/rtsp.go
@@ -1,7 +1,6 @@
 package rtsp
 
 import (
-	"fmt"
 	"io"
 	"net"
 	"net/url"
@@ -239,8 +238,7 @@ func tcpHandler(conn *rtsp.Conn) {
 
 	if err := conn.Accept(); err != nil {
 		if err == rtsp.FailedAuth {
-			rAddr := conn.Connection.RemoteAddr
-			log.Warn().Msg(fmt.Sprintf("[rtsp] failed authentication from %s", rAddr))
+			log.Warn().Str("remote_addr", conn.Connection.RemoteAddr).Msg("[rtsp] failed authentication")
 		} else if err != io.EOF {
 			log.WithLevel(level).Err(err).Caller().Send()
 		}

From 02ac3a681432aec38ac3dbf8dcbd8db1e2fee9f5 Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Tue, 18 Feb 2025 12:01:55 +0300
Subject: [PATCH 3/3] Code refactoring for RTSP auth

---
 internal/rtsp/rtsp.go | 3 ++-
 pkg/rtsp/server.go    | 7 +++----
 pkg/tcp/auth.go       | 8 ++++----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/internal/rtsp/rtsp.go b/internal/rtsp/rtsp.go
index 2e1d04e8..c680dd07 100644
--- a/internal/rtsp/rtsp.go
+++ b/internal/rtsp/rtsp.go
@@ -1,6 +1,7 @@
 package rtsp
 
 import (
+	"errors"
 	"io"
 	"net"
 	"net/url"
@@ -237,7 +238,7 @@ func tcpHandler(conn *rtsp.Conn) {
 	})
 
 	if err := conn.Accept(); err != nil {
-		if err == rtsp.FailedAuth {
+		if errors.Is(err, rtsp.FailedAuth) {
 			log.Warn().Str("remote_addr", conn.Connection.RemoteAddr).Msg("[rtsp] failed authentication")
 		} else if err != io.EOF {
 			log.WithLevel(level).Err(err).Caller().Send()
diff --git a/pkg/rtsp/server.go b/pkg/rtsp/server.go
index 9527e155..d7e89f5f 100644
--- a/pkg/rtsp/server.go
+++ b/pkg/rtsp/server.go
@@ -47,7 +47,7 @@ func (c *Conn) Accept() error {
 
 		c.Fire(req)
 
-		if !c.auth.Validate(req) {
+		if valid, empty := c.auth.Validate(req); !valid {
 			res := &tcp.Response{
 				Status:  "401 Unauthorized",
 				Header:  map[string][]string{"Www-Authenticate": {`Basic realm="go2rtc"`}},
@@ -56,13 +56,12 @@ func (c *Conn) Accept() error {
 			if err = c.WriteResponse(res); err != nil {
 				return err
 			}
-			if req.Header.Get("Authorization") != "" {
+			if empty {
 				// eliminate false positive: ffmpeg sends first request without
 				// authorization header even if the user provides credentials
-				return FailedAuth
-			} else {
 				continue
 			}
+			return FailedAuth
 		}
 
 		// Receiver: OPTIONS > DESCRIBE > SETUP... > PLAY > TEARDOWN
diff --git a/pkg/tcp/auth.go b/pkg/tcp/auth.go
index ac212fcf..3eb26024 100644
--- a/pkg/tcp/auth.go
+++ b/pkg/tcp/auth.go
@@ -85,14 +85,14 @@ func (a *Auth) Write(req *Request) {
 	}
 }
 
-func (a *Auth) Validate(req *Request) bool {
+func (a *Auth) Validate(req *Request) (valid, empty bool) {
 	if a == nil {
-		return true
+		return true, true
 	}
 
 	header := req.Header.Get("Authorization")
 	if header == "" {
-		return false
+		return false, true
 	}
 
 	if a.Method == AuthUnknown {
@@ -100,7 +100,7 @@ func (a *Auth) Validate(req *Request) bool {
 		a.header = "Basic " + B64(a.user, a.pass)
 	}
 
-	return header == a.header
+	return header == a.header, false
 }
 
 func (a *Auth) ReadNone(res *Response) bool {