feat(proxy): support explicit LAN sharing modes#1366
Open
maybeknott wants to merge 3 commits into
Open
Conversation
The proxy listener is a local ingress point for both HTTP and SOCKS traffic. Binding that listener to a wildcard address or LAN address exposes the relay surface to other devices on the network. Without inbound proxy authentication, that exposure can turn a local client into an unauthenticated shared proxy and allow unrelated devices to consume the operator's Apps Script quota. The default listen_host is now 127.0.0.1, matching the local-only behavior expected for a desktop proxy. Config validation now accepts IPv4 loopback, IPv6 loopback, bracketed IPv6 loopback, and localhost. It rejects wildcard binds, LAN addresses, public hostnames, and other non-loopback values with a hard configuration error before any listener socket is opened. The guard is implemented at configuration validation time rather than at bind time so TOML loading, JSON migration, CLI startup, and UI save paths all observe the same fail-closed rule. Existing explicit loopback profiles continue to load unchanged. Profiles that rely on 0.0.0.0 or a LAN address must wait for an authenticated LAN-sharing mode rather than silently opening an unauthenticated listener. TOML examples now show the loopback listener and call out that non-loopback binds are rejected until inbound proxy authentication exists. The English and Persian guides no longer instruct users to set listen_host to 0.0.0.0 for hotspot or OpenWRT sharing; they describe the current local-only safety behavior instead. Focused config tests cover the repaired default, accepted loopback forms, rejected wildcard and non-loopback forms, TOML network defaults, and JSON-to-TOML migration preserving the loopback listen_host.
The config validator now rejects non-loopback listen_host values until inbound HTTP/SOCKS authentication exists, but the desktop form still exposed the previous LAN-sharing checkbox that wrote 0.0.0.0. That made the UI capable of saving a configuration the application would intentionally reject on the next start. Align the Network row with the fail-closed bind policy. The share-with-LAN checkbox is displayed disabled, the form keeps loopback as the saved value for normal configurations, and the hover/help text explains that LAN sharing returns only after authenticated inbound proxy mode exists. If an existing form load contains a wildcard or custom non-loopback bind, show it as unsafe and provide a Reset to loopback action instead of silently overwriting it. This keeps the UI, saved TOML behavior, and startup validation consistent while preserving the user's ability to see and repair an old unsafe value.
Add first-class inbound proxy authentication for non-loopback proxy binds while preserving the frictionless trusted-LAN workflow as an explicit persisted opt-in. The configuration model now supports proxy_auth credentials for HTTP Basic and SOCKS5 username/password authentication, plus allow_unauthenticated_lan for private home networks and personal hotspots where the operator intentionally wants open LAN access. Enforce the selected mode at runtime. HTTP proxy requests require Proxy-Authorization when credentials are configured and return 407 when authentication is missing or invalid. SOCKS5 negotiation selects RFC 1929 username/password authentication when configured, rejects clients that do not offer it, and keeps no-auth negotiation available when the operator has opted into unauthenticated LAN sharing. If allow_unauthenticated_lan is true, runtime auth is disabled even if stale credentials remain in a hand-edited config. Extend validation and TOML migration coverage so non-loopback binds fail unless they are protected by complete credentials or explicitly marked as open LAN. Partial credentials are rejected to avoid ambiguous exposure states, and TOML tests cover both authenticated and open LAN configurations. Update the desktop UI to expose LAN sharing as a real workflow instead of disabling it. The UI now lets users toggle sharing, choose authenticated or open trusted-LAN mode, enter proxy credentials, see the detected LAN endpoint, and receive a persistent-mode warning when switching between authenticated and open LAN behavior. Saving the form makes the selected mode the default for future launches, and switching back plus saving restores the safer authenticated posture. Refresh the example TOML files and English/Persian guide sections with concrete LAN-sharing configuration snippets, client setup notes, and warnings about quota exposure on shared networks.
maybeknott
changed the title
github-actions
Bot
added
the
type: feature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This changes LAN proxy exposure from an implicit default into an explicit user-controlled mode.
The proxy now defaults to loopback-only binds. Non-loopback binds are accepted only when the user either configures proxy credentials or explicitly opts into open trusted-LAN sharing with
allow_unauthenticated_lan = true. That preserves the convenient home/personal-hotspot workflow without silently exposing an unauthenticated relay on shared networks.Authenticated LAN sharing supports HTTP Basic proxy authentication and SOCKS5 username/password authentication. The config validator rejects partial credentials and rejects non-loopback binds unless one of the two LAN modes is selected. TOML examples include both the safe authenticated shape and the explicit trusted-LAN opt-in.
The desktop UI exposes the LAN mode instead of forcing users to hand-edit
listen_host. Toggling open LAN mode shows a warning, saves persist the selected default for future launches, and users can switch back by disabling the option and saving again.Validation:
git diff --check upstream/main..HEADcargo test listen_host --libcargo test proxy_auth --libcargo test authenticated_lan --libcargo test unauthenticated_lan --libcargo test socks5_username_password_auth --libcargo test toml_parses_explicit_open_lan_bind --lib