WHIP: Improve WHIP deletion by token verification. v5.0.164, v6.0.58 (#3595)

------

Co-authored-by: chundonglinlin <chundonglinlin@163.com>

trunk/src/app/srs_app_rtc_api.cpp

@@ -241,6 +241,7 @@ srs_error_t SrsGoApiRtcPlay::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
 
     ruc->local_sdp_str_ = local_sdp_str;
     ruc->session_id_ = session->username();
+    ruc->token_ = session->token();
 
     srs_trace("RTC username=%s, dtls=%u, srtp=%u, offer=%dB, answer=%dB", session->username().c_str(),
         ruc->dtls_, ruc->srtp_, ruc->remote_sdp_str_.length(), local_sdp_escaped.length());
@@ -510,6 +511,7 @@ srs_error_t SrsGoApiRtcPublish::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMe
 
     ruc->local_sdp_str_ = local_sdp_str;
     ruc->session_id_ = session->username();
+    ruc->token_ = session->token();
 
     srs_trace("RTC username=%s, offer=%dB, answer=%dB", session->username().c_str(),
         ruc->remote_sdp_str_.length(), local_sdp_escaped.length());
@@ -603,7 +605,16 @@ srs_error_t SrsGoApiRtcWhip::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
     // TODO: FIXME: Stop and cleanup the RTC session.
     if (r->method() == SRS_CONSTS_HTTP_DELETE) {
         string username = r->query_get("session");
+        string token = r->query_get("token");
+        if (token.empty()) {
+            return srs_error_new(ERROR_RTC_INVALID_SESSION, "token empty");
+        }
+
         SrsRtcConnection* session = server_->find_session_by_username(username);
+        if (session && token != session->token()) {
+            return srs_error_new(ERROR_RTC_INVALID_SESSION, "token %s not match", token.c_str());
+        }
+
         if (session) session->expire();
         srs_trace("WHIP: Delete session=%s, p=%p, url=%s", username.c_str(), session, r->url().c_str());
 
@@ -626,8 +637,8 @@ srs_error_t SrsGoApiRtcWhip::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
     // Setup the content type to SDP.
     w->header()->set("Content-Type", "application/sdp");
     // The location for DELETE resource, not required by SRS, but required by WHIP.
-    w->header()->set("Location", srs_fmt("/rtc/v1/whip/?action=delete&app=%s&stream=%s&session=%s",
-        ruc.req_->app.c_str(), ruc.req_->stream.c_str(), ruc.session_id_.c_str()));
+    w->header()->set("Location", srs_fmt("/rtc/v1/whip/?action=delete&token=%s&app=%s&stream=%s&session=%s",
+        ruc.token_.c_str(), ruc.req_->app.c_str(), ruc.req_->stream.c_str(), ruc.session_id_.c_str()));
     w->header()->set_content_length((int64_t)sdp.length());
     // Must be 201, see https://datatracker.ietf.org/doc/draft-ietf-wish-whip/
     w->write_header(201);

trunk/src/app/srs_app_rtc_conn.cpp

@@ -1884,6 +1884,11 @@ string SrsRtcConnection::username()
     return username_;
 }
 
+string SrsRtcConnection::token()
+{
+    return token_;
+}
+
 ISrsKbpsDelta* SrsRtcConnection::delta()
 {
     return networks_->delta();
@@ -2004,6 +2009,7 @@ srs_error_t SrsRtcConnection::initialize(SrsRequest* r, bool dtls, bool srtp, st
     srs_error_t err = srs_success;
 
     username_ = username;
+    token_ = srs_random_str(9);
     req_ = r->copy();
 
     SrsSessionConfig* cfg = &local_sdp.session_negotiate_;

trunk/src/app/srs_app_rtc_conn.hpp

@@ -444,6 +444,8 @@ private:
 private:
     // The local:remote username, such as m5x0n128:jvOm where local name is m5x0n128.
     std::string username_;
+    // The random token to verify the WHIP DELETE request etc.
+    std::string token_;
     // A group of networks, each has its own DTLS and SRTP context.
     SrsRtcNetworks* networks_;
 private:
@@ -484,6 +486,8 @@ public:
     void set_state_as_waiting_stun();
     // Get username pair for this connection, used as ID of session.
     std::string username();
+    // Get the token for verify this session, for example, when delete session by WHIP API.
+    std::string token();
 public:
     virtual ISrsKbpsDelta* delta();
 // Interface ISrsResource.

trunk/src/app/srs_app_rtc_server.hpp

@@ -62,6 +62,7 @@ public:
     // Session data.
     std::string local_sdp_str_;
     std::string session_id_;
+    std::string token_;
 
     // Generated data.
     SrsRequest* req_;