torrentclaw/unarr
1
0
Fork 0
Code Issues Pull requests Projects Releases 4 Packages Wiki Activity Actions
unarr/internal/engine
History
Deivid Soto 444d7e63fd feat(stream): authenticate /stream and /hls with signed tokens 
/stream and /hls were served with no auth (only CORS + rate limit), so a
funnel- or UPnP-exposed daemon leaked active downloads to anyone with the URL.

Bind a short-lived HMAC token (scope + 6h expiry) to every stream URL the
daemon hands out and verify it on each request:
- /stream + VLC playlist: ?t= query, agent-minted, scope "stream"
- /hls: path segment /hls/<session>/<token>/<resource>, web-minted with the
  agent's reported secret, scope "hls:<session>" — relative playlist URIs
  inherit it with no rewriting
- NO loopback exemption: cloudflared relays public funnel traffic over
  localhost, so a loopback source address is not a trust signal
- the agent reports its per-run signing key on register only when enforcing
- require_stream_token config (default true); secret fails hard if rand fails
- /playlist.m3u no longer self-mints a token (was an open token oracle)

Roadmap: Docs/plans/unarr-agent-roadmap.md (hueco #1).
Deploy the web HLS-minting change BEFORE shipping this agent release.
2026-05-31 01:19:14 +02:00
..
debrid.go feat(sync): replace WS+DO transport with unified HTTP sync 2026-04-08 18:50:59 +02:00
debrid_test.go chore: rename module from torrentclaw-cli to unarr 2026-03-30 13:06:07 +02:00
hls.go fix(hls): drop nvenc -tune ll — kills hls segmentation, bump 0.9.17 2026-05-27 21:57:16 +02:00
hls_cache.go feat(hls): persistent fMP4 segment cache + integrity + stats (0.9.7) 2026-05-26 23:39:02 +02:00
hls_cache_smoke_test.go feat(hls): persistent fMP4 segment cache + integrity + stats (0.9.7) 2026-05-26 23:39:02 +02:00
hls_cache_test.go feat(hls): persistent fMP4 segment cache + integrity + stats (0.9.7) 2026-05-26 23:39:02 +02:00
hls_test.go feat(hls): pre-segmentación delantada — 2 s segments + async session start (0.9.10) 2026-05-27 11:36:41 +02:00
hwaccel.go feat(hls): faster first-start — probe cache + tighter encoder presets (0.9.9) 2026-05-27 10:09:42 +02:00
hwaccel_test.go refactor(hls): critico-driven hardening of fase 3.2 2026-05-27 11:15:44 +02:00
manager.go feat(sync): replace WS+DO transport with unified HTTP sync 2026-04-08 18:50:59 +02:00
manager_integration_test.go test: add comprehensive test suite for engine, agent and cmd packages 2026-04-08 23:36:00 +02:00
manager_test.go fix(ci): fix lint errors and pin CI to Go 1.25 2026-03-31 22:15:12 +02:00
method.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
method_test.go feat(cli): upgrade command, rich status, and version cache 2026-03-31 22:05:43 +02:00
notify.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
notify_test.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
organize.go feat(organize): use server metadata for file organization and subtitle handling 2026-04-05 23:36:01 +02:00
organize_expand_test.go feat(organize): use server metadata for file organization and subtitle handling 2026-04-05 23:36:01 +02:00
organize_test.go feat: improve daemon resilience, streaming, and usenet downloads 2026-03-28 21:36:12 +01:00
probe.go feat(hls): faster first-start — probe cache + tighter encoder presets (0.9.9) 2026-05-27 10:09:42 +02:00
probe_cache.go refactor(hls): critico-driven hardening of fase 3.2 2026-05-27 11:15:44 +02:00
probe_cache_test.go refactor(hls): critico-driven hardening of fase 3.2 2026-05-27 11:15:44 +02:00
probe_test.go feat(stream): pion-based WebRTC byte streamer for browser playback 2026-05-06 23:12:38 +02:00
progress.go fix(docker): three streaming/reliability bugs found in live docker test 2026-05-30 08:59:33 +02:00
progress_test.go fix(ci): fix lint errors and pin CI to Go 1.25 2026-03-31 22:15:12 +02:00
resolve.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
resolve_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
safepath.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
safepath_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
sockopt_unix.go fix(stream): use platform-specific socket options for Windows cross-compilation 2026-04-07 19:18:13 +02:00
sockopt_windows.go fix(stream): use platform-specific socket options for Windows cross-compilation 2026-04-07 19:18:13 +02:00
stream.go fix(stream): fix black screen on remote/Tailscale streaming 2026-04-09 16:15:41 +02:00
stream_player.go fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs 2026-05-15 18:48:59 +02:00
stream_server.go feat(stream): authenticate /stream and /hls with signed tokens 2026-05-31 01:19:14 +02:00
stream_server_extra_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
stream_server_test.go fix(security): CORS allowlist, URL scheme guard, state perms, ZIP slip, mirror docs 2026-05-15 18:48:59 +02:00
stream_source.go feat(stream)!: retire WebRTC, HLS-only, bump 0.9.4 2026-05-26 18:04:35 +02:00
stream_source_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
stream_test.go fix(stream): fix black screen on remote/Tailscale streaming 2026-04-09 16:15:41 +02:00
stream_token.go feat(stream): authenticate /stream and /hls with signed tokens 2026-05-31 01:19:14 +02:00
stream_token_test.go feat(stream): authenticate /stream and /hls with signed tokens 2026-05-31 01:19:14 +02:00
task.go fix(engine): truncate errorMessage before reporting status 2026-05-23 15:34:58 +02:00
task_test.go fix(lint): use default:none to disable errcheck, fix all gofmt and exhaustive 2026-03-31 00:29:16 +02:00
torrent.go fix(docker): three streaming/reliability bugs found in live docker test 2026-05-30 08:59:33 +02:00
torrent_test.go test: add comprehensive test suite for engine, agent and cmd packages 2026-04-08 23:36:00 +02:00
transcode_quality.go feat(stream)!: retire WebRTC, HLS-only, bump 0.9.4 2026-05-26 18:04:35 +02:00
transcoder.go feat(stream)!: retire WebRTC, HLS-only, bump 0.9.4 2026-05-26 18:04:35 +02:00
transcoder_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
upnp.go fix: resolve deadlock, data races and path traversal vulnerabilities 2026-04-08 23:36:18 +02:00
upnp_debug_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
upnp_live_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
upnp_test.go feat(stream): add NAT-PMP port mapping for remote downloads 2026-04-06 10:09:07 +02:00
usenet.go fix: resolve deadlock, data races and path traversal vulnerabilities 2026-04-08 23:36:18 +02:00
usenet_test.go test(coverage): raise engine+agent coverage above 50% 2026-05-12 11:21:59 +02:00
vaapi_args_test.go test(vaapi): dump full ffmpeg argv for smoke validation 2026-05-27 15:58:30 +02:00
validate.go fix(cors): allow play from .to / staging / onion mirrors 2026-05-27 10:06:54 +02:00
verify.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
verify_test.go feat: initial commit — unarr CLI 2026-03-28 11:29:42 +01:00
watch_reporter.go feat(stream): report duration and position in watch progress 2026-04-07 23:29:00 +02:00
watch_reporter_test.go fix(security): UPnP opt-in, bounded SSE reader, signed self-update 2026-05-15 17:29:22 +02:00